sudo.erb

#%PAM-1.0
auth required pam_env.so

# MUST COMMENT OUT OR IT WILL ASK FOR A PASSWORD:
# auth requisite pam_unix.so nullok try_first_pass

# Do a Duo authentication and, if successful, allow the sudo.
# Otherwise, fail.

auth sufficient pam_duo.so conf=/etc/security/pam_duo_su.conf
auth required   pam_deny.so

account    include      common-auth
password   include      common-auth
session    optional     pam_keyinit.so revoke
session    required     pam_limits.so
<%- if (@debuild) then -%>

# Instead of including the stock common-session-noninteractive we
# use parts of it, overriding minimum_uid for pam_afs_session
# so that sudo will be able to get AFS tokens (helps with cowbuilder)
session    optional     pam_krb5.so minimum_uid=1000
session    optional     pam_afs_session.so minimum_uid=0
<%- end -%>