PAM Recipe to Authenticate on Either the User's Password or Root's Password

[Les Mikesell]

On Sat, 2006-05-13 at 13:22, Schlaegel wrote:

> I want everyone to avoid 'su', and most users won't know any important
> target passwords (like root). Also, which password is required is
> inconsistent across linux programs and even across `sudo`
> installations, so I want either to work.
> 
> Rather than debate the social issues, I want to know if anyone knows a
> technical solution that allows this.

It's more program philosophy than a social issue.  When you
disagree with the author about what the program is supposed
to do, the source code is the place to start.

> (This same pam recipe would be handy in a screensaver lock screen.)

Pam can check a password against any number of things you
want, but I don't think there is a way to tell it that
other user names are OK in the same run.  You might build
an appropriate permutation of the password file for a
service (where the expected user name is matched with the
alternate acceptable password) and add that to the list that
pam should check.

-- 
  Les Mikesell
   lesmikesell at gmail.com