1

Is this recommended and/or possible? I just don't like the idea of anyone beside me being able to see when I type my password.

Michael
  • 2,391
  • 2
  • 19
  • 36
Adrian Lopez
  • 111
  • 4
  • 2
    It looks like sudo supports PAM, so you should be able to do something like [this](https://access.redhat.com/solutions/3029711). – user Feb 28 '20 at 13:50

1 Answers1

2

When you talk about a pen drive and certificate based authentication, you probably want two-factor-authentication (2FA). This means that you do not use the pen drive instead of the password but in addition to the password. If I understood your question correctly, you are not doing this for usability but for added security, therefore 2FA is the way to go.

It is possible to configure sudo with 2FA - e.g. there is a guide for a Yubikey implementation. This is just an example, as the configuration will depend on the actual hardware you are using. Any FIDO/U2F device that's supported by your OS can be used.

For the sake of completeness, you actually can configure sudo to work without a password, just using the pen drive, but I would not recommend this from a security perspective. Both options are shown in chapter 4.a) and 4.b) respectively in this guide for Fedora.

Demento
  • 7,249
  • 5
  • 36
  • 45