Two password (factor) authentication to root user / sudo

7

1

With regards to running Linux remotely (SSH) I'd like to employ two levels of authentication for accessing the system with root privileges.

I have the root account disabled / locked out so direct access to the system is not possible with root user.

I access the system with a normal user, and then from their I can sudo. Of course, it is merely the same password to gain root privileges.

In /etc/sudoers, you can set the directive Default rootpw which will prompt for a root (second) password. However, I have the root account locked and so there is no password.

My question is, how can I have the user enter a 2nd DIFFERENT password to access the root account or to sudo?

Mike

Posted 2013-03-20T20:02:22.490

Reputation: 897

Answers

7

Set a password on the root account, and set /sbin/nologin or your local equivalent as root's shell. Then set the 'Default rootpw' directive in /etc/sudoers, and you'll have what you're looking for: root won't be able to log in by any means, but will have a password set, which sudo will require sudoers to provide before letting them sudo anything.

Aaron Miller

Posted 2013-03-20T20:02:22.490

Reputation: 8 849

Perfect! Didn't know about that! – Mike – 2013-03-20T20:19:52.947

Glad to be of help! – Aaron Miller – 2013-03-20T20:56:13.497

Asked: 2013-03-20T20:02:22.490

Viewed: 1 669 times

Active: 2013-03-20T20:10:53.617