How to Use Different Passwords for Administration and System Login

pampasswordsudo

How can I give a user one password for normal usage when logging in, and another password for system administration and sudo access? I want one user to have two passwords.

Best Answer

There is a way to do this by overriding the PAM (Pluggable Authentication Module) settings for the sudo service. Do this at great risk to your machine - don't just copy and paste unless you understand what the command does, and always keep a root terminal open - test test test! - before logging it out, in case you need to go back and fix something.

I recommend reading some information about how PAM works so you know what to do if it breaks. I also recommend most users approach this problem from a different angle (making a separate user account for administration) because the solution may be susceptible to hash table attacks on your password if you haven't set your permissions correctly.

If you're determined to proceed, you'll need to install a new PAM module. pam_pwdfile uses the old-style /etc/passwd type file for authentication, which is great for using different passwords for different services. It provides no account recognition - you can create username/password pairs for users that do not exist on the system. Since we'll be using it for sudo, it doesn't matter, as we'll just let sudo check the account exists in the usual way.

sudo apt-get install libpam-pwdfile

I also recommend grabbing a handy htpasswd file editor. Benjamin Schweizer has created a handy editor in python which works well. Grab it from http://benjamin-schweizer.de/htpasswd_editor.html and install its dependency:

sudo apt-get install python-newt

Generate a htpasswd format file using the tool - sudo python htpasswd_editor sudo.passwd. Put in a username and password using the same username that you will be using for sudo - one for each user that will be using it. Copy it to somewhere secure (when testing this I put it in /etc/sudo.passwd) and make it unreadable to regular users: chmod 660 /etc/sudo.passwd as root.

Make sure the file is owned by root and unreadable to other users. This is a vulnerability as the file contains a hashed password, and if it is readable or writeable by other users, it breaks your security badly. It is for this reason I don't recommend this method on a machine that must be kept secure.

Finally, edit the /etc/pam.d/sudo file. Add the following line above the other @include ... lines:

auth    required    pam_pwdfile.so pwdfile /etc/sudo.passwd

Obviously replacing the last argument with the path to your generated htpasswd file. Comment out the next line: #@include common-auth to make sure it is using the new authentication method.

Word of caution - you will need to edit the /etc/pam.d/sudo file from a root terminal. Do not close this without testing! If you do, you may not be able to log back in (if you have broken something), and would have to boot from a Recovery disk to repair your system. Test before logging out by opening a new terminal and try using sudo. You should find that it will no longer work with your regular login password, but instead requires the new password you used when you generated the passwd file. To update the file, use the useful tool again.

Related Question