Is this recommended and/or possible? I just don't like the idea of anyone beside me being able to see when I type my password.
-
2It looks like sudo supports PAM, so you should be able to do something like [this](https://access.redhat.com/solutions/3029711). – user Feb 28 '20 at 13:50
1 Answers
When you talk about a pen drive and certificate based authentication, you probably want two-factor-authentication (2FA). This means that you do not use the pen drive instead of the password but in addition to the password. If I understood your question correctly, you are not doing this for usability but for added security, therefore 2FA is the way to go.
It is possible to configure sudo with 2FA - e.g. there is a guide for a Yubikey implementation. This is just an example, as the configuration will depend on the actual hardware you are using. Any FIDO/U2F device that's supported by your OS can be used.
For the sake of completeness, you actually can configure sudo to work without a password, just using the pen drive, but I would not recommend this from a security perspective. Both options are shown in chapter 4.a) and 4.b) respectively in this guide for Fedora.
- 7,249
- 5
- 36
- 45