We’re currently using BeyondTrust Password Safe to manage SSH access to a large number of Linux servers (100+), where users authenticate using their AD accounts.
Access to the servers works fine through Password Safe, but we’re running into an issue when users need to elevate privileges. When they run sudo su, the system prompts for a password, but since password retrieval is disabled, users can’t proceed.
We want to avoid enabling password retrieval or exposing any credentials to users, but still allow them to perform privileged operations when required.
At the same time, managing sudo access directly on each server (e.g., updating /etc/sudoers individually or using NOPASSWD per user) isn’t really practical at this scale.
So I wanted to check with the community:
- Is there a way to handle sudo password injection through Password Safe for SSH sessions?
- How are others managing privilege escalation in similar environments without exposing credentials?
- Any recommended best practices for scaling this across a large number of Linux servers?
