Automatic Sudo or Su Privilege Elevation

Secret Server has a convenience feature that eliminates the need to manually enter a su or sudo command's password when using a proxied SSH session to a Unix or Linux server. When a user manually types a su or sudo command with a valid secret ID, the SSH proxy automatically provides the username and password to use. The user does not need to know either.

For su, the connection procedure is as follows:

  1. Secret A is created to contain the username and password for the su privilege elevation. Any potentially elevated users must have access to this secret.
  2. Using secret B, a user (with access to secret A) starts a Secret Server proxied SSH session.
  3. When the user types su at the command prompt, the SSH proxy detects it, determines the user has access to secret A, and augments the command with the secret ID for secret A via a command line argument. Any other arguments the user may have typed are left as is.
  4. The user runs the su command, and the secret ID is replaced with the user and credential from secret A.
  5. With the elevated permissions (temporarily as another user) from secret A, the user completes the desired tasks.
  6. When finished, the user uses an exit command to return to their non-elevated status based on secret B.
The added argument appears as –-secret-id <secret ID> or –id <secret ID>, such as su --secret-id 15, which is replaced by a username and password from secret ID 15 when the command runs.
Sudo does not take either secret argument and automatically types the current user's password.