For now, you may want to use the "nopass" keyword and set up highly-restrictive rules. The last matching rule determines the action taken, so you can have more general rules up top, and more specific ones that don't require a password toward the end. For example, my wireless network manager script relies on the ability to kill off the DHCP client and do some other things with ifconfig.
permit nopass :wheel as root cmd /usr/bin/pkill args dhclient permit nopass :wheel as root cmd /sbin/ifconfig permit nopass :wheel as root cmd /sbin/dhclient In -CURRENT, doas.conf has a "persist" keyword that will only prompt once per session. This isn't available in OpenBSD 6.0, but should work when 6.1 is released. Here's a fairly minimal rule that would allow wheel group users to do whatever they want with doas after authenticating once: permit persist :wheel On Thu, Dec 15, 2016 at 10:56 AM, jungle Boogie <jungleboog...@gmail.com> wrote: > Hi All, > > Should I be prompted for a password during this scenario? > > $ doas date > doas (jun...@openbsd.my.domain) password: > Thu Dec 15 08:55:39 PST 2016 > $ ./date.sh > doas (jun...@openbsd.my.domain) password: > Thu Dec 15 08:55:46 PST 2016 > > As you see, only seconds past from both commands and yet, I'm prompted > for my password again. > > -- > ------- > inum: 883510009027723 > sip: jungleboo...@sip2sip.info
