This tutorial will show how you can
su into user accounts without needing to provide a password for it.
By default, only the root user and users capable of using
su to other user accounts without needing to provide the target user account's password. And, failing to provide the right password will result in an "Authentication failure" warning as shown below.
su - userb Password: su: Authentication failure
Pluggable Authentication Modules
PAM, short for Pluggable Authentication Modules is at the core of user authentication in almost all modern Linux distributions. PAM can be configured to deny certain programs the right to authenticate users, to only allow certain users to be authenticated, to warn when certain programs attempt to authenticate, or even to deprive all users of login privileges. So, basically, PAM gives us complete control over how users are authenticated.
To allow usera to
su to userb's user account without a password, we must modify the PAM settings of
su by editing the
sudo vim /etc/pam.d/su
Add the following highlighted two lines, right after the
auth sufficient pam_rootok.so line.
# # The PAM configuration file for the Shadow `su' service # # This allows root to su without passwords (normal operation) auth sufficient pam_rootok.so auth [success=ignore default=1] pam_succeed_if.so user = userb auth sufficient pam_succeed_if.so use_uid user = usera
The first line checks whether the target user is userb. If it is, nothing will happen (
success=ignore) and the second line is triggered. If the target is not userb, then the second line will be skipped (
default=1), and lines that come after these two gets triggered.
The second line checks whether the user trying to
su to userb is usera, if it is, then the system considers the authentication process as successful and returns
sufficient, if it is not, nothing happens and lines that come after these two gets triggered.
Now, with the current configuration, we can easily switch to userb from usera with the
su command. But we can't
su from userb to usera though.
To make the authentication process succeed if the current and target user are in the same group (
friends), the lines on our
/etc/pam.d/su file will look like this,
# # The PAM configuration file for the Shadow `su' service # # This allows root to su without passwords (normal operation) auth sufficient pam_rootok.so auth [success=ignore default=1] pam_succeed_if.so user ingroup friends auth sufficient pam_succeed_if.so use_uid user ingroup friends
With this, we can use
su to switch between usera and userb or any user that is in the
friends group without needing to provide their user password.