Freebsd – How to grant su access to wheel without asking for password on FreeBSD

authenticationfreebsdpamsu

I would like to grant users of the wheel group (other sysadmins) su access without being asked for password.

I know how to do it with pam in linux, but the question now is for FreeBSD. I am not familiar with the syntax for FreeBSD's PAM subsystem. What shall I enter in /etc/pam.d/su instead of the default:

auth         sufficient   pam_rootok.so   no_warn
auth         sufficient   pam_self.so     no_warn
auth         requisite    pam_group.so    no_warn group=wheel root_only fail_safe ruser
auth         include      system

# account
account      include      system

# session
session      required     pam_permit.so

Best Answer

I did some error and trial and the solution for me seems to be like this:

# auth
auth            sufficient      pam_rootok.so           no_warn
auth            sufficient      pam_self.so             no_warn
auth            requisite       pam_group.so            no_warn group=wheel root_only fail_safe ruser
auth            sufficient      pam_group.so            no_warn group=wheel root_only fail_safe ruser
auth            include         system

# account
account         include         system

# session
session         required        pam_permit.so

This allows members of the wheel group to su without password, but disallows non-members. (I think the two line can be consolidated into one, but I did not bother that much.)

Best Answer

Related Solutions

SSH Authentication – Use Only Password and Ignore SSH Key

How to Grant Network Access to LocalSystem Account – Windows Security

Related Topic