diff --git a/manifests/client.pp b/manifests/client.pp
index b933d58..625a6ea 100644
--- a/manifests/client.pp
+++ b/manifests/client.pp
@@ -15,6 +15,8 @@
 
   $handle_nsswitch    = false,
   $handle_sshd_config = false,
+  $handle_sudo_config = false,
+  $sudoers_name       = undef,
 ) {
 
   validate_string($user)
@@ -77,4 +79,41 @@
     }
   }
 
+  if $handle_sudo_config {
+    if $sudoers_name {
+      validate_string($sudoers_name)
+
+      augeas {'sudo pam with stns':
+        context => '/files/etc/pam.d/sudo',
+        changes => [
+          'ins "01" after #comment',
+          'set 01/type auth',
+          'set 01/control sufficient',
+          'set 01/module libpam_stns.so',
+          'set 01/argument[1] sudo',
+          "set 01/argument[2] ${sudoers_name}",
+        ],
+        onlyif  => [
+          "values *[type = 'auth']/module not_include libpam_stns.so",
+          "match *[module = 'libpam_stns.so']/argument size < 2",
+          "match *[module = 'libpam_stns.so']/argument != ['sudo', ${sudoers_name}]",
+        ],
+      }
+    } else {
+      augeas {'sudo pam with stns':
+        context => '/files/etc/pam.d/sudo',
+        changes => [
+          'ins "01" after #comment',
+          'set 01/type auth',
+          'set 01/control sufficient',
+          'set 01/module libpam_stns.so',
+        ],
+        onlyif  => [
+          "values *[type = 'auth']/module not_include libpam_stns.so",
+          "match *[module = 'libpam_stns.so']/argument size == 0",
+        ],
+      }
+    }
+  }
+
 }
diff --git a/manifests/server.pp b/manifests/server.pp
index d874a13..930d894 100644
--- a/manifests/server.pp
+++ b/manifests/server.pp
@@ -4,16 +4,22 @@
 # stns::server is to install and configure stns.
 
 class stns::server (
-  $port           = 1104,
-  $user           = undef,
-  $password       = undef,
-  $package_ensure = present,
+  $port              = 1104,
+  $user              = undef,
+  $password          = undef,
+  $package_ensure    = present,
+  $sudoers_name      = undef,
+  $sudoers_password  = undef,
+  $sudoers_hash_type = 'sha256',
 ) {
 
   validate_integer($port)
   validate_string($user)
   validate_string($password)
   validate_string($package_ensure)
+  validate_string($sudoers_name)
+  validate_string($sudoers_password)
+  validate_re($sudoers_hash_type, '\Asha(256|512)\z', 'sudoers_hash_type supports sha256 or sha512.')
 
   require stns::repo
 
diff --git a/manifests/server/config.pp b/manifests/server/config.pp
index 99d9a38..ced7dbc 100644
--- a/manifests/server/config.pp
+++ b/manifests/server/config.pp
@@ -5,11 +5,14 @@
 
 class stns::server::config {
 
-  $port     = $stns::server::port
-  $user     = $stns::server::user
-  $password = $stns::server::password
-  $users    = $stns::server::users
-  $groups   = $stns::server::groups
+  $port              = $stns::server::port
+  $user              = $stns::server::user
+  $password          = $stns::server::password
+  $users             = $stns::server::users
+  $groups            = $stns::server::groups
+  $sudoers_name      = $stns::server::sudoers_name
+  $sudoers_password  = $stns::server::sudoers_password
+  $sudoers_hash_type = $stns::server::sudoers_hash_type
 
   concat { '/etc/stns/stns.conf':
     ensure => present,
@@ -41,4 +44,12 @@
       order   => '60';
   }
 
+  if $sudoers_name != undef {
+    concat::fragment { 'sudoers_config_in_stns':
+      target  => '/etc/stns/stns.conf',
+      content => template('stns/sudoers.conf.erb'),
+      order   => '25',
+    }
+  }
+
 }
diff --git a/spec/acceptance/client_spec.rb b/spec/acceptance/client_spec.rb
index 9b5cfdc..b09bb0c 100644
--- a/spec/acceptance/client_spec.rb
+++ b/spec/acceptance/client_spec.rb
@@ -30,6 +30,7 @@ class { '::stns::client':
         http_proxy         => 'http://proxy.example.com:1104',
         handle_nsswitch    => true,
         handle_sshd_config => true,
+        handle_sudo_config => true,
       }
     EOS
   end
@@ -76,4 +77,8 @@ class { '::stns::client':
     its(:content) { should match %r{^\s*AuthorizedKeysCommand\s+/usr/local/bin/stns-key-wrapper$} }
     its(:content) { should match /^\s*AuthorizedKeysCommand(User|RunAs)\s+root$/ }
   end
+
+  describe file('/etc/pam.d/sudo') do
+    its(:content) { should match /^#%PAM-1.0\nauth\s+sufficient\s+libpam_stns.so$/ }
+  end
 end
diff --git a/spec/acceptance/server_spec.rb b/spec/acceptance/server_spec.rb
index fe045fe..be17d8c 100644
--- a/spec/acceptance/server_spec.rb
+++ b/spec/acceptance/server_spec.rb
@@ -4,9 +4,11 @@
   let(:manifest) do
     <<-EOS
       class { '::stns::server':
-        port     => 1104,
-        user     => 'sample',
-        password => 's@mp1e',
+        port             => 1104,
+        user             => 'sample',
+        password         => 's@mp1e',
+        sudoers_name     => 'sandbox',
+        sudoers_password => 'b7ad567477c83756aab9a542b2be04f77dbae25115d85f22070d74d8cc4779dc',
       }
 
       ::stns::server::users { 'sandbox':
@@ -62,6 +64,10 @@ class { '::stns::server':
     its(:content) { should match /^\[groups.sandbox\]$/ }
     its(:content) { should match /^id = 1001$/ }
     its(:content) { should match /^users = \["sandbox"\]$/ }
+
+    its(:content) { should match /^\[sudoers.sandbox\]$/ }
+    its(:content) { should match /^password = "[a-z0-9]{64}"$/ }
+    its(:content) { should match /^hash_type = "sha256"$/ }
   end
 
   describe service('stns') do
diff --git a/templates/sudoers.conf.erb b/templates/sudoers.conf.erb
new file mode 100644
index 0000000..c8366e6
--- /dev/null
+++ b/templates/sudoers.conf.erb
@@ -0,0 +1,4 @@
+[sudoers.<%= @sudoers_name %>]
+password = "<%= @sudoers_password %>"
+hash_type = "<%= @sudoers_hash_type || 'sha256' %>"
+