Logging in with ‘su’ without entering a password
How can I log in with the su command in one line in the terminal? I know that the sudo command can do that:
echo [password] | sudo -S [command] echo [password] | su [username] I don’t have access to the sudo account (so I can’t access and edit the sudoers file). I know that the right syntax is basically:
What I want to do is to add a su command to aliases without being needed to enter password every time
If you have superuser rights anyway just give you sudo rights. Otherwise the fastest possible way to get a root shell via su is this: su —login , but you need to interactively enter the root password.
3 Answers 3
The correct answer is:
THIS IS DANGEROUS ! DO NOT DO THIS ! IT COMPLETELY BREAKS YOUR SECURITY .
But.
If you don’t care about security you can do it like this:
gcc main.c -o mysuidshell sudo chown root mysuidshell && sudo chmod u+s mysuidshell You can now create the alias that you mentinoed in the comment on LXGA’s answer:
Although it’s still terrible idea security-wise, you also have the extremely tiny advantage that your password is not somewhere visible in cleartext.
Depending on what you want to do you can change the code so that it can change to other users than root, run different shells, .
But you will be basically re-inventing the wheel ( su and sudo ) but less secure.
How can I log in with the su command in one line in the terminal?
This is for using sudo with not getting prompted for a password every time :
edit the /etc/sudoers file via visudo or sudo visudo
in RHEL/CentOS 7 at least, down at the bottom of the /etc/sudoers file you will see the COMMANDS section. Specifically this:
## Allows people in group wheel to run all commands %wheel ALL=(ALL) ALL ## Same thing without a password # %wheel ALL=(ALL) NOPASSWD: ALL by default. for RHEL/CentOS I can’t speak for other linux distro’s on how they may make use of this. simply comment out the first with # and put into effect the line having the NOPASSWD: ALL syntax. Or enter this syntax.
The %wheel means those accounts in the wheel group as defined in /etc/group . You can add a line and make it %users for example to allow any account in the users group this no password functionality, if you use the users group (with gid 100) in that manner.
For the How can I of being just you, the %wheel syntax with the % means wheel is a group. To specify a specific user account, just remove the % and use a user account in place of the group name. For example:
## Allow root to run any commands anywhere root ALL=(ALL) ALL simply do this if your user account name is abc123
abc123 ALL=(ALL) NOPASSWD: ALL and best to put this at the bottom of the file so that if said user account is also part of wheel group and that is in effect above that statement doesn’t override and undo this if you put this user statement at the top of the file.
I do not know how to undo the password prompt of using su in the above manner but
what you can do is sudo su and not get prompted for password, along with doing sudo su and su’ing to the root account without a password.
What I’ve described is the best way I know on how to gain no password prompting functionality while maintaining decent security at the same time. the /etc/sudoers file is the security focal point here.
The file permissions of /etc/sudoers should be root for both owner and group with -r—r—— permissions or 440.
note: using abc123 ALL=(ALL) NOPASSWD: ALL will allow that user account to do a sudo su and switch to the root account without being prompted for the root account’s password.
How to Switch (su) to Another User Account without Password
In this guide, we will show how to switch to another or a specific user account without requiring a password. For example, we have a user account called postgres (the default PostgreSQL superuser system account), we want every user (typically our PostgreSQL database and system administrators) in the group called postgres to switch to the postgres account using the su command without entering a password.
By default, only the root user can switch to another user account without entering a password. Any other user will be prompted to enter the password of the user account they are switching to (or if they are using the sudo command, they will be prompted to enter their password), if they don’t provide the correct password, they get an “authentication failed” error as shown in the following screenshot.
You can use any of the two solutions provided below to solve the above issue.
1. Using PAM Authentication Module
PAM (Pluggable authentication modules) are at the core of user authentication on modern Linux operating systems. To allow users in a specific group to switch to another user account without a password, we can modify the default PAM settings for the su command in the /etc/pam.d/su file.
# vim /etc/pam.d/su OR $ sudo vim /etc/pam.d/su
Add the following configurations after “auth sufficient pam_rootok.so” as shown in the following screenshot.
auth [success=ignore default=1] pam_succeed_if.so user = postgres auth sufficient pam_succeed_if.so use_uid user ingroup postgres
In the above configuration, the first line checks if the target user is postgres, if it is, the service checks the current user, otherwise, the default=1 line is skipped and the normal authentication steps are executed.
auth [success=ignore default=1] pam_succeed_if.so user = postgres
The line that follows checks if the current user is in the group postgres, if yes , the authentication process is considered successful and returns sufficient as a result. Otherwise, the normal authentication steps are executed.
auth sufficient pam_succeed_if.so use_uid user ingroup postgres
Save the file and close it.
Next, add the user (for example aaronk) that you want to su to the account postgres without a password to the group postgres using usermod command.
$sudo usermod -aG postgres aaronk
Now try to su to the postgres account as the user aaronk, you should not be prompted for a password as shown in the following screenshot:
2. Using Sudoers File
You can also su to another user without requiring a password by making some changes in the sudoers file. In this case, the user (for example aaronk) who will switch to another user account (for example postgres) should be in the sudoers file or in the sudo group to be able to invoke the sudo command.
Then add the following configuration below the line “%sudo ALL=(ALL:ALL) ALL” as shown in the following screenshot.
aaronk ALL=NOPASSWD: /bin/su – postgres
Now try to su to the account postgres as the user aaronk, the shell should not prompt you to enter a password:
That’s all for now! For more information, see the PAM manual entry page (man pam.conf) and that of sudo command as well (man sudo).
How can I switch user without password?
Use «x» as password. Then login as myotheruser with password «x»:
Solution 2
sudo addgroup nopasswdlogin sudo adduser myotheruser nopasswdlogin Then change the file /etc/pam.d/login and place this somewhere before «@include common-auth» line:
auth sufficient pam_succeed_if.so user ingroup nopasswdlogin Again, please use good passwords, you don’t want to be featured on websites such as http://www.zone-h.org/ 🙂
It is probably worth noting that you shouldn’t ever use a password change method that doesn’t request the old password if you’re also making use of encrypted home or private folders. When both passwords are provided, the filesystem key can be re-encrypted seemlessly. With an administrative password reset, this can’t be done.
@JamesHenstridge Very nice comment, but is it possible to do what you mention as an administrator? Perhaps to set the current password as expired? Or do you have to login as the user and do passwd user ?
The key used to unlock the home directory is encrypted with the users password. Without the old password, there is no way to recover that key, whether you’re a normal user or the administrator of the system. It is still possible to recover the key after an administrative password change, but only if you know the user’s old password.
If you use encrypted home directories, the password that admin changes is used to login but the old password is still required to decrypt the home directory. If you have lost the password to your encrypted home directory and haven’t created the recommended recovery key, all the data is lost unrecoverably. That’s the whole point of true encryption: there are no backdoors if you don’t have the required secret to decrypt the data.
Can I set my user account to have no password?
If I attempt to change my password to nothing by opening «User Accounts», the «Change» button remains greyed out: How do I change my password to be empty? I know you can set Ubuntu to automatically log you in, but I want my password to be empty, I never want to type in a password to authenticate myself as that user. I know that there are reasons why this might not be a good idea, but I want to know if it is even possible. I’m using Ubuntu 12.10.
@Kaz It doesn’t if you follow all the steps in the answer, including the step that was linked to at the end.
6 Answers 6
You can’t do that using the GUI tool, but you can using the terminal.
- First, if your user has sudo privileges, you must enable its NOPASSWD option. Otherwise, sudo will ask for a password even when you don’t have one, and won’t accept an empty password. To do so, open the sudoers configuration file with sudo visudo , and add the following line to the file, replacing david with your username:
If you ever get prompted for a password, just type enter and it should work. I’ve tested this answer with LightDM, the lock screen, sudo , gksu , and it works.
Any new visudo edits such as nopasswd should be added to the end so no other setting overwrites the entry.
This did not work for me (Ubuntu 16.04) via ssh login. It still asks for a password, but no password is accepted (blank or the old one or the one for the ssh key).
On Debian I got the message «Sorry that didn’t work try again» when I try to log with empty password after the command passwd david -d . And now I can’t login with the old password too.
Warning: Be careful once you remove your password using this method, you won’t be able to authenticate yourself to prove you have admin rights, in a GUI or in the terminal (like installing an application using Synaptic, or using sudo through the command-line). This is because of bug #1168749.
Only do this if the user is not the only admin user.
This has been tested on Ubuntu 12.04 and 12.10.
- Make sure that you click on Unlock to be able to accomplish the tasks below:
- Go into user accounts, and click on the password field:
- Once the window opens, click on the down arrow to the right of «Action».
- and change it to «Log in without a password», and then click on «Change»:
- Optionally, you can also enable automatic log-in, like this:
To give the user a password again after running this procedure, you can’t use a GUI (bug #882255), you have to use the command-line:
- Log in as another user with admin priveleges. (Remember, the original one cannot run with admin privileges without a password using this method.)
- Run the following in a terminal:
Again, I must warn you that once you remove the password, you won’t be able to authenticate yourself in the GUI or a terminal, like installing an application using Synaptic, or using sudo on the command-line.