9
3
I'd like to use a different password to elevate my user to sudo status than the password I use to login (either via GUI, shell, or SSH) to my account. Is this possible?
EDIT: Since setting the root password would allow login as root, this is not a good way to go. I'd prefer a user-specific sudo password, rather than a system-wide root password.
Richard
Posted 2012-05-10T17:44:37.743
Reputation: 2 565
2
from man sudoers:
rootpw If set, sudo will prompt for the root password instead of the
password of the invoking user. This flag is off by default.
runaspw If set, sudo will prompt for the password of the user defined
by the runas_default option (defaults to root) instead of the
password of the invoking user. This flag is off by default.
Or you could just ban password based logins via ssh completely. Require a passphrase encrypted key for remote login. Then you are free to use the password for sudo. The relevant option is
from man sshd_config
PasswordAuthentication
Specifies whether password authentication is allowed. The default
is “yes”.
Chas. Owens
Posted 2012-05-10T17:44:37.743
Reputation: 1 842
Thanks for your help, Chas. Owens. I'm afraid a side-effect of your solution is that the root account would have a password and it would therefore be possible to login as root, which is not a door which I wish to leave open. I'd prefer a user-specific sudo password, rather than a system-wide root password. – Richard – 2012-05-10T18:00:28.863
You can disable root login from sshd_config as well – Rob – 2012-05-10T18:35:51.417
1
SOLUTION 1: newgrp
A simple way to address your use case would be to use :NOPASSWD in combination with a group and group passwd:
Add a line to sudoers:
%rudo ALL=(ALL:ALL) NOPASSWD:ALL
Create a passwd protected group:
groupadd rudo
gpasswd rudo # Enter passwd
Now when you login as an unprivileged user (assuming your not already in the rudo group), login to the rudo group, at which point you'll be prompted for the password.
login user
newgrp rudo
Now you can run sudo password-less, so long as you remain logged in to the group.
SOLUTION 2: runaspw
A better, possibly more secure way to do this uses runaspw. runaspw is associated with the runas_default option so you have to add that option too.
Assuming you already have the default %sudo group entry:
%sudo ALL=(ALL:ALL) ALL
add these lines to sudoers file:
Defaults:%sudo runas_default=sudo
Defaults:%sudo runaspw
Now add a new sudo user with a password:
useradd sudo -d /nonexistent -s /usr/sbin/nologin -MNr
passwd sudo
Now sudo group users will be prompted for sudo user's passwd but only users in the sudo group will be able to sudo (unlike with the group solution above, where anyone in the group or with the group passwd could sudo).
A minor issue is the default runas user is now sudo so to sudo as root you need to explicitly specify root:
sudo -u root <cmd>
But easy enough to define an alias (alias sudo='sudo -u root') or indirect sudo command.
spinkus
Posted 2012-05-10T17:44:37.743
Reputation: 160
1
are you looking for this instead in sudoers man?
targetpw If set, sudo will prompt for the password of the user
specified by the -u option (defaults to root) instead of the
password of the invoking user.
johnshen64
Posted 2012-05-10T17:44:37.743
Reputation: 4 399
Thanks for your help, johnshen64. I'm afraid a side-effect of your solution is that the root account would have a password and it would therefore be possible to login as root, which is not a door which I wish to leave open. I'd prefer a user-specific sudo password, rather than a system-wide root password. – Richard – 2012-05-10T18:00:15.290
that user does not have to be root user, it just defaults to root if you do not specify it. you can experiment it to see if it would for you. unix is quite open and if these still do not work for you, you can even write a wrapper script or even modify sudo (if you know c) to do exactly what you want. – johnshen64 – 2012-05-10T18:02:45.133
@johnshen64 I think he is objecting to the fact that the same password would be used for all users. – Chas. Owens – 2012-05-10T18:10:23.820
I see, but an admin user can be created for each user, say ${USER}foradmin, so that a user always specifies -u ${USER}foradmin, though to enforce that sudo still needs to be replaced by a custom script. – johnshen64 – 2012-05-10T18:13:03.637
1
How about disable password logon via SSH and allow public key logon where you can set your difficult to guess password. Then the local password can be shorter and used by sudo.
Other than that you will have to configure /etc/pam.d/sudo to use a different (or additional) module, at first glance pam_dialpass might allow what you need.
You could also configure LDAP configuration for one and local passwords for the other. It will all depend on how much changes you are able and willing to make, what modules are available etc.
Bram
Posted 2012-05-10T17:44:37.743
Reputation: 582
Thanks for your help, Bram. Your first suggestion would work, save that public key authentication can be prohibitive to work with, unless you've come prepared to transfer key files around. – Richard – 2012-05-10T20:12:32.130
1Can you elaborate on this -- why do you want to do this? – Doug Harris – 2012-05-10T17:48:26.533
1I feel the question explains itself well enough, but the goal is to make login secure via lengthy, difficult passwords and then to use a different password for sudo access, so that compromising a user's account does not automatically provide sudo access. – Richard – 2012-05-10T17:52:18.593
I've heard it's possible to do sudo through rsa/dsa keys, which can have any passphrase you want. – Rob – 2012-05-10T18:37:01.850