I have been given a long password by my company for my Ubuntu system. This password is cumbersome to enter when authenticating with sudo
repeatedly.
Can I authenticate with sudo
using a password other than the one associated with my user account, or enable sudo
with no password authentication altogether?
Best Answer
You could tie
sudo
authentication to the knowledge of a secret key managed byssh-agent
. This can be achieved via PAM and thepam_ssh_agent_auth
module. You can generate a separate keypair to use exclusively forsudo
authentication. The password will be the passphrase used to encrypt the private key.To configure the
pam_ssh_agent_auth
module add the following to/etc/pam.d/sudo
before any otherauth
orinclude
directives:You will also need to tell
sudo
not to drop theSSH_AUTH_SOCK
environment variable by adding the following to/etc/sudoers
(viavisudo
):Now add the public portion of the key you want to act as the authentication token to
/etc/security/authorized_keys
. You'd probably also want to add the-t
switch tossh-add
with suitable short lifetime when adding the key to havessh-agent
mimic the defaultsudo
behavior of prompting for password confirmation if a certain time has passed since it was last entered, or even use the-c
switch to trigger password confirmation each time the key is used for authentication.Note that the default in Ubuntu is to use GNOME Keyring for SSH key management, which as far as I know doesn't currently allow key timeout to be set. You can disable SSH key management in GNOME Keyring completely by adding the following to
~/.config/autostart/gnome-keyring-ssh.desktop
:which overrides
/etc/xdg/autostart/gnome-keyring-ssh.desktop
, the key difference being the line: