Skip to main content
Question

Best way to handle sudo access in Password Safe without exposing passwords

  • April 9, 2026
  • 4 replies
  • 97 views
H
Forum|alt.badge.img

We’re currently using BeyondTrust Password Safe to manage SSH access to a large number of Linux servers (100+), where users authenticate using their AD accounts.

Access to the servers works fine through Password Safe, but we’re running into an issue when users need to elevate privileges. When they run sudo su, the system prompts for a password, but since password retrieval is disabled, users can’t proceed.

We want to avoid enabling password retrieval or exposing any credentials to users, but still allow them to perform privileged operations when required.

At the same time, managing sudo access directly on each server (e.g., updating /etc/sudoers individually or using NOPASSWD per user) isn’t really practical at this scale.

So I wanted to check with the community:

  • Is there a way to handle sudo password injection through Password Safe for SSH sessions?
  • How are others managing privilege escalation in similar environments without exposing credentials?
  • Any recommended best practices for scaling this across a large number of Linux servers?

      4 replies

      Pulitros144
      Forum|alt.badge.img+5
      • Pulitros144
      • Veteran
      • April 10, 2026

      @Hashan_Neth To answer your questions:

      1. Is there a way to handle sudo password injection through Password Safe for SSH sessions? A: Directly from Password Safe, there is NO credential injection available for elevation.

      2. How are others managing privilege escalation in similar environments without exposing credentials? A: You have a few options:

      • First: EPM-UL (Endpoint Privilege Management for Unix/Linux) can handle elevation on Linux servers as seamlessly as possible.

      • Second: You could use psrun to request the password from the server via API and use that same command to elevate the session.

      • Third: Instead of using a generic account like 'root', you can create dedicated accounts (e.g., a.hneth). Once the user logs into Password Safe, that specific account is only available to them, and you can then allow NOPASSWD in the sudoers file for that specific user.

      3. Any recommended best practices for scaling this across a large number of Linux servers? A: This is the tricky part. You will need to decide which approach is less demanding for your team to manage at scale.

      PS
      H
      Forum|alt.badge.img
      • Hashan_Neth
      • Author
      • Apprentice
      • April 14, 2026

      @Pulitros144 Is it possible to configure Password Safe sessions to initiate directly with root privileges (or an equivalent privileged account), so that users do not need to perform su or sudo after login?

      Pulitros144
      Forum|alt.badge.img+5
      • Pulitros144
      • Veteran
      • April 15, 2026

      @Pulitros144 Is it possible to configure Password Safe sessions to initiate directly with root privileges (or an equivalent privileged account), so that users do not need to perform su or sudo after login?

      It is not possible unless you create a script directly on the server—for example, by adding it to the .bashrc file. As of today, Password Safe does not allow you to input a command directly onto the screen during the login process. There is currently an Idea open on the AHA portal for this feature, but for now, the recommendation is to set the account to NOPASSWD in the sudoers file and leave it at that.

      PS
      S
      • Saket Sahay
      • Apprentice
      • May 4, 2026

      ​Hello @Pulitros144 

       

      We are currently facing a challenge in securely providing users with sudo/root access. 
      Our requirement is to allow users to log in to servers and perform tasks with elevated permissions without retrieving or exposing the root password.

      Currently, when users launch a PuTTY session, it does not prompt for additional permissions initially. 
      However, once they attempt to execute commands using sudo (the user is LDAP-authenticated with sudo privileges), the system requests a password.

      Our concern is that enabling password retrieval for such access would violate our internal security policies. 
      We are looking for a secure solution that allows users to perform sudo tasks during the PuTTY session without compromising password security.
       

      Badge Earners

      • BCA: Endpoint Privilege Management - Linux
        Thota Padmaraohas earned the badge BCA: Endpoint Privilege Management - Linux
      • BCA: Password Safe
        vunv_vncsglobal.vnhas earned the badge BCA: Password Safe
      • BCA: Endpoint Privilege Management - Linux
        Ashahas earned the badge BCA: Endpoint Privilege Management - Linux
      • Core Concepts - Identity Insights
        a3rdhas earned the badge Core Concepts - Identity Insights
      • BCSE: Password Safe
        YongJiahas earned the badge BCSE: Password Safe
      Show all badges
      Terms & ConditionsAccessibility statement