sudo.erb 814 Bytes
Newer Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
#%PAM-1.0
auth required pam_env.so

# MUST COMMENT OUT OR IT WILL ASK FOR A PASSWORD:
# auth requisite pam_unix.so nullok try_first_pass

# Do a Duo authentication and, if successful, allow the sudo.
# Otherwise, fail.

auth sufficient pam_duo.so conf=/etc/security/pam_duo_su.conf
auth required   pam_deny.so

account    include      common-auth
password   include      common-auth
session    optional     pam_keyinit.so revoke
session    required     pam_limits.so
17
18
19
20
21
22
23
<%- if (@debuild) then -%>
# Instead of including the stock common-session-noninteractive we
# use parts of it, overriding minimum_uid for pam_afs_session
# so that sudo will be able to get AFS tokens (helps with cowbuilder)
session    optional     pam_krb5.so minimum_uid=1000
session    optional     pam_afs_session.so minimum_uid=0
<%- end -%>