1

I manage a bunch of laptops in my household, and while I can do most things over SSH, sometimes I just need to physically sit down at someone's logged-in desktop environment. If the user is around, I can always "Hey, come log in for me;" but sometimes they're not around, and I end up having to fiddle with /etc/shadow to set their password to mine, log in, then restore shadow.

What I'd really like is the ability to use root's password (or better yet any admin's password) to log into a desktop as any user. I've read the man pages for every pam_ library on the system, and the only one that even seems to come close to what I'm after is pam_userdb: configuring a secondary password database with all the normal users but with the administrative password; but that's still hacky.

I've looked at the configuration guides for both lightdm and gdm, and I don't see anything about this. I've briefly looked at polkit, but frankly I have no idea what that thing is doing.

Edit: "logged-in" was probably a bad way to phrase it - I meant accessing the user's full desktop environment, not just accessing a single app.

Nazrax
  • 11
  • Do you need to log in at the running desktop or is a new desktop (as the user) fine? If the latter, why not just use su user as root, then start X? Do you want it locally or remotely? Maybe a VNC is what you need? Also this question – FelixJN Jun 11 '21 at 13:50
  • This is what sudo for. Read man sudo sudoers. You can ssh to the Laptop as yourself, and sudo -u otheruser command. – waltinator Jun 11 '21 at 20:01
  • @waltinator sometimes, especially with GUI apps, the only way to change a configuration setting is by running the app as the user and using its preferences dialog. Even with apps that have well-documented plain-text config files (ha! a joke! documentation? what is that?), it may be necessary to edit them when the app isn't already being run by the user (otherwise the edited config might get overwritten by the running app). And for apps that can be configured with gconf/dconf or similar, good luck finding any documentation on what settings exist, what they do, or what values they take. – cas Jun 12 '21 at 03:47
  • In short: GUI apps can be very difficult to configure remotely. ssh -X can help (and using key-based login for that is a possible answer to the OP's question, as can VNC or similar remote-desktop type software), but most GUI apps misbehave if more than one instance is run by the same user at the same time....that can be a quick way to corrupt config files. – cas Jun 12 '21 at 03:50
  • Using auth pam_userdb ... before auth pam_unix ... is probably the easiest way to do what you want.
    Either that or write your own pam module that returns true if you the root password is entered. You can either create the duplicate accounts (with the root pw) whenever you create a new account, or just create them on the fly when you need them (and optionally deleted them afterwards). Remember to use use_first_pass for subsequent auth modules like pam_unix.     – cas Jun 12 '21 at 04:13
  • @FelixJN I hadn't considered bypassing the graphical login screen and running X and the DE by hand, and I could probably script it to make it easier. Xephyr might be an option, but it may not be able to deal with the compositing modern DEs need ... Using SSH to fire up a VNC server as the user could certainly work ... but ... VNC ... – Nazrax Jun 12 '21 at 14:16
  • @cas Thanks for the pam tips. I'll probably fiddle with both of those routes. – Nazrax Jun 12 '21 at 14:16

0 Answers0