No password not NOPASSWD sudo.



Fallout Vault Boy History - Official Mascot of Vault-Tec


What is Vault?


Vault is a tool created by HashiCorp that provides “Secure, store and tightly control access to tokens, passwords, certificates, encryption keys for protecting secrets and other sensitive data using a UI, CLI, or HTTP API.”

One common use of vault is to leverage the OTP token generation paired with the ssh engine to create a secure authentication solution for SSH access to servers.

If all of this is alien to you, then HashiCorp has excellent documentation and you can check out this link for a much more in-depth explanation of this. Because of this, I am not going to go into detail on what this is and how to set it up.

SSH OTP Workflow



Vault OTP ssh is set up by using a custom PAM configuration on the server, this same PAM configuration can be used for sudo to have OTP sudo access instead of configuring passwords for users.

Where does sudo come into this?

For people that are familiar with Vault OTP SSH and are using it on their servers currently, you probably have seen this set of instructions before:

Looking at this specific part of the above instructions:



So this provides a great password-less method of sshing into your servers, but once you are in as your user on the server, a common issue is engineers setting the NOPASSWD option for sudo because the users are not provisioned with a password or they still have to manage user passwords in order to sudo. With these two options commonly being adopted, there had to be a better option between the insecure and the redundant.

The fact vault used PAM sshd module for ssh authentication, I figured that there was no reason you couldn’t do the same thing for the sudo module. So I decided to try and see, taking a look at the sudo PAM module in /etc/pam.d/sudo:


auth       include      system-auth

account    include      system-auth

password   include      system-auth

session    optional revoke

session    required


I modified it in a similar manner as the instructions implied for ssh. I added the auth requisite and auth optional lines pointing to the vault-ssh-helper binary.


auth       required

auth requisite quiet expose_authtok log=/tmp/vaultssh.log /usr/local/bin/vault-ssh-helper -config=/etc/vault-ssh-helper.d/config.hcl debug

auth optional not_set_pass use_first_pass nodelay

account    include      system-auth

password   include      system-auth

session    optional revoke

session    required

session    include      system-auth


Boom! It worked like magic. Generate one token to get on the server and then when you need to sudo you can generate another token and enter it at the password prompt.

[test@myserv ~]$ sudo -s

[sudo] password for test:

[root@myserv ~]$


This is nothing mind-blowing, but I believe it is a slick way of maintaining password-less authentication on servers for both SSH and sudo. Just an extension to the existing functionality provided by vault.

4 years ago

1 Comment

Leave a Reply

Your email address will not be published. Required fields are marked *