Allow user1 to "su - user2" without password

Add the following lines underneath the pam_rootok.so line in your /etc/pam.d/su:

auth  [success=ignore default=1] pam_succeed_if.so user = martin-test
auth  sufficient                 pam_succeed_if.so use_uid user = martin

These lines perform checks using the pam_succeed_if.so module. See also the Linux-PAM configuration file syntax to learn more about the auth lines.

  • The first line checks whether the target user is martin-test. If it is nothing happens (success=ignore) and we can continue on the next line to check the current user. If it is not, the next line will be skipped (default=1) and we can continue on subsequent lines with the usual authentication steps.
  • The second line checks whether the current user is martin or not, if it is then the system considers the authentication process as successful and returns (sufficient), if it is not, nothing happens and we continue on subsequent lines with the usual authentication steps.

You can also restrict su to a group, here the group allowedpeople can su without a password:

auth sufficient pam_succeed_if.so use_uid user ingroup allowedpeople

If you don't want to change groups or use sudo, use a pam module called pam_exec to execute external scripts in a pam stage.

Add a line in your /etc/pam.d/su after the pam_rootok.so line:

auth       sufficient pam_exec.so quiet /path/to/script

/path/to/script has the permissions 755 (rwxr-xr-x) and the following content:

#!/bin/bash
if [ "$PAM_TYPE" == "auth" ] && \
[ "$PAM_USER" == "martin-test" ] && \
[ "$PAM_RUSER" == "martin" ]; then
  exit 0
else
  exit 1
fi

So this script exits with success if su:

  • is called in context of authentication,
  • the calling user is martin and
  • the user to authenticate is martin-test.

See:

martin@host:~$ su - martin-test
martin-test@host:~$ exit
martin@host:~$ su - otheruser
Password: ****
otheruser@host:~$

This might be the possible best way.

su is not meant to do that -- sudo is.

Open /etc/sudoers.d/custom and write the following:

user-a ALL=(user-b:user-b) NOPASSWD:ALL

This means: whenever user-a executes sudo -u user-b, let him go without asking for the password.

Another way

youruserid ALL = (username) NOPASSWD: ALL

with visudo and then sudo -u username bash is like su - username

Tags:

Authentication

Pam

Password

Users

Recent Posts