How to grant su access to wheel without asking for password on FreeBSD?

Question

I would like to grant users of the wheel group (other sysadmins) su access without being asked for password.

I know how to do it with pam in linux, but the question now is for FreeBSD. I am not familiar with the syntax for FreeBSD's PAM subsystem. What shall I enter in /etc/pam.d/su instead of the default:

auth         sufficient   pam_rootok.so   no_warn
auth         sufficient   pam_self.so     no_warn
auth         requisite    pam_group.so    no_warn group=wheel root_only fail_safe ruser
auth         include      system

# account
account      include      system

# session
session      required     pam_permit.so

Answer 1

I did some error and trial and the solution for me seems to be like this:

# auth
auth            sufficient      pam_rootok.so           no_warn
auth            sufficient      pam_self.so             no_warn
auth            requisite       pam_group.so            no_warn group=wheel root_only fail_safe ruser
auth            sufficient      pam_group.so            no_warn group=wheel root_only fail_safe ruser
auth            include         system

# account
account         include         system

# session
session         required        pam_permit.so

This allows members of the wheel group to su without password, but disallows non-members. (I think the two line can be consolidated into one, but I did not bother that much.)

Answer 2

sudo is configured by sudoers file and visudo should be used to edit.

visudo -f /usr/local/etc/sudoers

Make sure you have this line uncommented:

%wheel ALL=(ALL) NOPASSWD: ALL