Can one use a keyfile as a password for sudo

sudousbusb-drive

Context

I like to work in public on my laptop, but I also like to use sudo without a password. Based on what I know now, I would use the NOPASSWD option in my sudoers file, but of course anyone could use sudo as they wish.

One important thought that comes to my mind is that locking programs exist. However, I would prefer using a flash drive (and using it just for sudo) because (1) it is faster, (2) easier than entering my password, and (3) I am not concerned with people accessing my content nor doing nefarious things: the laptop would be in public around other people, and the only intellectual property on my laptop is a very basic Angular project.

Additionally, myself and others may wish to prevent misuse of sudo on a computer not running an X or Wayland environment. My current work requires a modern web browser, but if I ever have the chance to not use X and just use a multiplexer, I do that — my laptop is a bit old and slow.

Question

What I would like to do is put a keyfile on a flash drive, and simply plug in the flash drive when I am at the laptop, and take it out when I step away from it.

So here are my three questions derived from this problem:

Is this possible with sudo as is?
If not, would I be able to write a program that lets me do this?
If so, what language might be the best to write this program?

(4. [Perhaps an extraneous question] Could this package be separate or would it need to be a fork of sudo?)

Note

If it is relevant, my setup is Arch Linux with bspwm, no desktop environment. Most of my work is web development in urxvt / vim and checking it with Chrome.

Best Answer

I'm not sure I understand why the NOPASSWD option doesn't satisfy your requirements all by itself, but if you want to require the presence of the flash drive I can think of something that might almost do what you're looking for.

This is more of a workaround, but you could create a local administrative user, say superuser, and give that user passwordless sudo rights, i.e. add the following line to your /etc/sudoers file:

superuser ALL=(ALL) NOPASSWD:ALL

You could then disable password login and configure key-only SSH authentication for that user, i.e. run passwd -l superuser and add the following stanza to your /etc/ssh/sshd_config:

Match user superuser
PasswordAuthentication no

Then create an SSH key-pair for this user. Add the public key to /home/superuser/.ssh/authorized_keys and put the private key on your flash drive. Then when you want to use the superuser account, plug in your flash-drive and ssh into the superuser account using your private key. And voilà! You now have passwordless sudo for your user. Of course you'll still need to exit your shell sessions when you're done - unplugging the flash drive won't be enough. Although I guess you could also setup a precommand hook to check for the private key and exit automatically if it isn't present (or if it's invalid).

Related Solutions

Bash – Graphically ask for password in a bash script and retain default sudo timeout setting

I add this to my bash script:

# ask for password up-front.
sudo -v
# Keep-alive: update existing sudo time stamp if set, otherwise do nothing.
while true; do sudo -n true; sleep 60; kill -0 "$$" || exit; done 2>/dev/null &

Found it here:

https://serverfault.com/questions/266039/temporarlly-increasing-sudos-timeout-for-the-duration-of-an-install-script

https://gist.github.com/cowboy/3118588

I use another script to launch my main script and I use a .desktop file to launch that helper script. It's not very straightforward, but it can be made to work 100% GUI. I'm still looking for the perfect solution, but this is doing the trick for now.

Is there something like one-time sudo

I've never seen anything like one time sudo, but you could still get one time sudo by setting up one time passwords. There's an article in Linux Journal, titled: Configuring One-Time Password Authentication with OTPW, that covers the various ways that you can do this. There are 3 packages that they discuss which facilitate this:

I've never used any of these so I can not offer you any guidance or practical experiences in using any of them but the LJ article and the sources I liked look to have everything one would need to get started.