I'm not aware of any built in system designed for the two-person concept at the operating system level. While a new version of sudo/PAM could be written to accomplish this, it seems to me to better enforced at the application level than the operating system level, customized in the application for your specific purposes. Data can be encrypted by multiple keys (belonging to different users) to assure that root
users cannot easily bypass controls.
What do you envision -- two people sitting at the same desk where user A authenticates and then user B authenticates and then the sudo command executes? Or user A types in sudo emacs /etc/ssh/sshd_config
, a message gets sent to user B who has to user their authentication details to OK that user A can edit the file before they can edit a file?
And again with the standard workflow, you get permission to open your text editor as superuser before opening the file or creating changes. So you could conceivably get permission from user B to do sudo emacs /etc/ssh/sshd_config
but once emacs (as superuser) is open you could start editting any number of other files (say open and edit /etc/shadow
, replacing a hash of another admin who went on vacation) or even open up a superuser shell from emacs (without any reprompting of credentials or additional logging of use of sudo in the /var/log/auth.log
under the standard setup).
Somewhat related, it is possible to setup two factor authentication for ssh with a yubikey or google. So you could set up a scenario where you require two factor auth for logging in, require both people to be present while the users are logged in (e.g., both can be fired if anything malicious noted in the logs) with each member having only one of the factors to login.