Home / server / Questions / 114244
Accepted
Jürgen A. Erhard
Asked: 2010-02-19 05:52:08 +0800 CST

How do I skip the OTP passphrase prompt for sudo but keep it for ssh?

  • 772

I've configured a server to support OTP (using opie) with ssh. What annoys me is that I get the OTP passphrase prompt even for root when doing sudo. How can I configure PAM to suppress it? Don't see a need for OTP locally.

System is Debian stable (lenny), with minor unstable/backports installed (nothing connected to PAM).

debian ssh sudo pam

1 Answers

  1. Best Answer

    I'm not sure if this is "the Debian way" to do it, but:

    You should have an /etc/pam.d/sudo file which specifies which PAM modules sudo will use for authentication (and other stuff) -- Find the module for your one-time password magic and comment it out. The lines you're looking for probably look something like:

    auth            sufficient      pam_opie.so             no_warn no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn allow_local

    On Debian systems a lot of PAM configurations reference common-* files -- If that's the case copy the contents of those files in place of the include directive.

    Sage advice: Launch screen & su to root inside it before you start editing so you have a root shell to fix stuff if you need it; Also obviously make a backup of the original file so you can get it back if you need to.

    • 2