SSH Sudo Execution or SU Utility Execution

Control Elevated Privilege in a SSH/SU session (sudo execution or directly executing su utility).

PAM includes the option to control the command to elevate privilege in a SSH/SU session to run through sudo execution or directly executing su utility.

With this option included, the system will use exec sudo su – user command to elevate user privilege instead of the default exec su – user command.

 

The option is controlled by a custom record-level field Type on Unix with SU record type or its inherited derivatives.

  • Field Type: Checkbox
  • Name: sudo
  • Display Name: Use sudo
  • Order: 620

FAQ-SSH-Use-Sudo-Custom-Field

You will need to create this custom field within a Record Type. To learn about creating custom fields, please review this article.

Now, within the record that uses the Record Type with this custom field, you will have a checkbox option named Use sudo.

FAQ-SSH-Use-Sudo-Record-Checkbox

  • When Use sudo is enabled (checked), PAM will authenticate sudo su with the User password.

    • FAQ-SSH-Use-Sudo-Connect-With-Use-Sudo-Option

  • When Use sudo is disabled (unchecked), PAM will authenticate su with the SU User password.

    FAQ-SSH-Use-Sudo-Connect-Without-Use-Sudo-Option

Sudo Session Persistence Control

PAM includes the option to control whether the sudo session in an SSH execution should persist or expire naturally after a timeout. This allows to decide if a password prompt is required each time a privileged command is executed, or if the session should remain authenticated during the entire SSH session.

  • With this option enabled, the system will execute a temporary sudo -v to validate the session and maintain privilege elevation via a background command.

  • When disabled, it defaults to standard Linux behavior where the password must be re-entered after the sudo timeout.

 

This feature is controlled by a custom record-level checkbox field added to the Unix with SU record type or its inherited derivatives.

  • Field Type: Checkbox

  • Name: requirePasswordPrompt

  • Display Name: Require Password Prompt

  • Order: 700

PAM-sudo-option-control.png

Now, within the record that uses the Record Type with this custom field, you will have a checkbox option named Require Password Prompt.

PAM-Require-Password-Promp.png

  • When Require Password Prompt is enabled (checked), PAM will prompt for the sudo password each time the timeout expires, following standard Linux behavior.

  • When Require Password Prompt is disabled (unchecked), PAM will keep the sudo session active in the background to avoid repeated password prompts and will automatically insert the password from the beginning.