Use su without the need of a password

I recently searched for a solution to su into a user which is only used for an application without entering a password. I normally create an application user without any password because that user never should be able to be logged on to. If you are not using the root user or sudo to log on you are required to enter a password even though the user does not have one at all. I found a neat trick which I want to share with you. We can achieve these goals using Pluggable Authentication Modules or short PAM. We need to edit the corosponding su file with is located under /etc/pam.d/su and add the following lines under pam_rootok.so:

auth  [success=ignore default=1] pam_succeed_if.so user = user
auth  sufficient                 pam_succeed_if.so use_uid user = adminuser

If you want to allow a group of users to su into the user defined in the first line instead of one single user you can use

auth sufficient pam_succeed_if.so use_uid user ingroup admins

for the second line. In this example the group is called admins, the user which will su into another user adminuser and the user that will be su’ed in user The finished file should now look like this:

Test

#
# The PAM configuration file for the Shadow `su' service
#

# This allows root to su without passwords (normal operation)
auth       sufficient pam_rootok.so
auth  [success=ignore default=1] pam_succeed_if.so user = user
auth sufficient pam_succeed_if.so use_uid user ingroup admins
...

Now you can log into the user without even entering the password. This quite handy if you don’t want to give your service accounts a password. If they don’t get one, they can’t be breached ;D

comments powered by Disqus