environment/bin/admin/single-user

#!/bin/bash
## This script make autologin. If user has phisical access
## to the device we can trust him, otherwiese we require password
## for remote access


# Parameters
USERNAME="user"

# Sanity check
if [ "$(id -u)" -ne 0 ]; then
    echo "Please run this script as root."
    exit 1
fi

if ! id "$USERNAME" &>/dev/null; then
    echo "User '$USERNAME' does not exist."
    exit 1
fi

echo "Setting up passwordless sudo for physical access for user: $USERNAME"
echo

# 1. Configure sudoers: allow passwordless sudo
echo "Configuring sudoers for $USERNAME..."
echo "Defaults:$USERNAME !authenticate" >> /etc/sudoers.d/00-$USERNAME-nopasswd
chmod 440 /etc/sudoers.d/00-$USERNAME-nopasswd

# 2. Modify PAM for sudo to allow password only on non-physical ttys
echo "Configuring PAM for sudo tty check..."
PAM_FILE="/etc/pam.d/sudo"
BACKUP_FILE="/etc/pam.d/sudo.bak"

if ! grep -q "pam_succeed_if.so tty" "$PAM_FILE"; then
    echo "Creating backup of $PAM_FILE to $BACKUP_FILE"
    cp "$PAM_FILE" "$BACKUP_FILE"

    sed -i '1iauth [success=1 default=ignore] pam_succeed_if.so tty =~ /dev/tty[0-9]*' "$PAM_FILE"
    echo "PAM modified to restrict passwordless sudo to physical TTYs."
else
    echo "PAM sudo already appears configured."
fi

# 3. Enable autologin on tty1
echo "Configuring systemd autologin on tty1 for $USERNAME..."
mkdir -p /etc/systemd/system/getty@tty1.service.d
AUTOLOGIN_CONF="/etc/systemd/system/getty@tty1.service.d/override.conf"

cat > "$AUTOLOGIN_CONF" <<EOF
[Service]
ExecStart=
ExecStart=-/sbin/agetty --autologin $USERNAME --noclear %I \$TERM
EOF

# Reload systemd and apply change
echo "Reloading systemd and restarting tty1..."
systemctl daemon-reexec
systemctl daemon-reload
systemctl restart getty@tty1

echo
echo "All done."
echo "User '$USERNAME' will now auto-login on tty1 and can use sudo without a password if physically present."
echo "Remote users (SSH) will still need to enter a password for sudo."