Answer by Kamil Maciorowski for Can I login into sddm as some user, not knowing their password, if I have sudo/root privileges?

Solution with PAM and a single master password

If your sddm uses PAM then you can modify /etc/pam.d/sddm and make it accept your master password for any user.

1. We will create a helper script that will compare the first line from its stdin to your master password stored verbatim as the first line in a separate file.

   sudo sh -e -c 'umask 0007cat > /etc/security/master_password_check << "EOF"#!/bin/sh -e# From https://superuser.com/a/1869073/432690IFS= read -r ps || trueIFS= read -r mps < /etc/security/master_password[ "$ps" = "$mps" ]EOFchmod u+x /etc/security/master_password_checkcat > /etc/security/master_password << "EOF"M4st3rPSSwrdEOF'

   Execute the above exact code in a shell, it will create the necessary files. Next sudoedit /etc/security/master_password and replace M4st3rPSSwrd with your master password. (Replacing before executing the code may break things if your master password contains '.) The master password in the file shall be properly terminated with a newline character.

2. sudoedit /etc/pam.d/sddm and place the following lines before any existing auth … line:

   # Master password, see https://superuser.com/a/1869073/432690auth sufficient pam_exec.so expose_authtok quiet /etc/security/master_password_check

The line will make sddm run our master_password_check and pass the typed password via its stdin. The script will compare it to the master password and immediately allow access if they match. The ability to log in using the target user's regular password is unaffected.

From now on you can log into sddm as any user by providing your master password.

Notes

• If our auth sufficient … line was added to /etc/pam.d/common-auth instead, then many programs (including sddm) would start accepting the master password (because PAM configuration files commonly use @include common-auth where appropriate).
• The master password is stored as plain text inside /etc/security/master_password, it is only protected by the mode of the file. If this is not enough for you, implement support for hashed master password on your own.
• To revert:
  • remove our line from /etc/pam.d/sddm;

  • rm /etc/security/master_password_check /etc/security/master_password