Support “Run as” authentication (username + password) in pkexec / polkit #635
Description
I am using pkexec and polkit in an enterprise environment with centralized authentication (LDAP/AD).
On our Linux client workstations (Ubuntu 24.04 GNOME), multiple administrators exist at the same time. These admin accounts are:
Domain (LDAP) accounts
Members of a security group
Granted administrative privileges via sudoers
Currently, pkexec only authenticates the current logged-in user and requests only a password. This makes it impossible to perform administrative actions as another administrator (e.g., a different domain admin) without switching sessions or using CLI tools like sudo -u.
In enterprise environments, it is often required that any authorized administrator (from LDAP, part of a security group, and listed in sudoers) can authenticate to perform privileged actions — similar to the “Run as…” behavior on Windows, where a username and password can be entered at elevation time.
🔧 Requested feature
Add support in pkexec / polkit authentication agents for:
Prompting for username + password, not only password
Allowing authentication as a different authorized administrator account
Applying existing polkit rules and sudoers/group-based policies to that account
🎯 Use case
This would significantly improve usability and security on shared or managed Linux workstations in corporate environments where:
Admin accounts are centralized (LDAP/AD)
Multiple administrators manage the same machines
Session switching is undesirable or restricted