Linux – a safer no password sudo

linuxSecuritysusudosudoers

Ok, here's my problem – Please don't yell at me for being insecure! 🙂 This is on my host machine. I'm the only one using it so it's fairly safe, but I have a very complex password that is hard to type over and over. I use the console for moving files around and executing arbitrary commands a LOT, and I switch terminals, so sudo remembering for the console isn't enough (AND I still have to type in my terrible password at least once!) In the past I have used the NOPASSWD trick in sudoers but I've decided to be more secure. Is there any sort of compromise besides allowing no password access to certain apps? (which can still be insecure) Something that will stop malware and remote logins from sudo rm -rf /-ing me, but in my terminals I can type happily away? Can I have this per terminal, perhaps, so just random commands won't make it through? I've tried running the terminal emulations as sudo, but that puts me as root.

Best Answer

Try adding this to your sudo options:

Defaults timestamp_timeout=0, tty_tickets

tty_tickets option (on by default) will make sudo ask password if it was not asked previously in that particular tty (including terminal emulators ptys), and timestamp_timeout=0 option will make it not ask it again in the whole session.

So, when you want to do some administrative operations, you can open terminal, sudo something, close it, and you will be safe again.

Related Solutions

Linux – How to make Shared Keys .ssh/authorized_keys and sudo work together

ssh and sudo have nothing to do with each other. Setting up an ssh authentication method isn't going to do anything for sudo. sudo isn't going to understand an ssh password.

passwd -l is intended to lock a user's account, so that he can no longer authenticate by password. That's pretty much the opposite of what you want, which is letting the user authenticate without a password.

I think what you want is the NOPASSWD option in your sudoers file.

(PS, there's no reason to be running a cd command with sudo. cd does not propagate to parent processes, so as soon as the sudo exits, you're back where you started.)

Edit: You keep saying that you want to lock the account password and want sudo to understand public/private keys. Sorry, sudo isn't going to use ssh keys. It isn't ssh. If you don't want users to be able to log in with their passwords, I think the answer is to disable ssh password authentication, not to lock the account. Then you can retain a password for the users, which they can use to sudo after they log in via ssh authorized_keys.

One sudo for multiple terminals

Turn off tty_tickets. See sudoers(5) for more information.

Run visudo and then add a line:

Defaults !tty_tickets

Best Answer

Related Solutions

Linux – How to make Shared Keys .ssh/authorized_keys and sudo work together

One sudo for multiple terminals

Related Question