Ubuntu – How to allow authentication with `sudo` using an alternate password

authenticationsudoUbuntu

I have been given a long password by my company for my Ubuntu system. This password is cumbersome to enter when authenticating with sudo repeatedly.

Can I authenticate with sudo using a password other than the one associated with my user account, or enable sudo with no password authentication altogether?

Best Answer

You could tie sudo authentication to the knowledge of a secret key managed by ssh-agent. This can be achieved via PAM and the pam_ssh_agent_auth module. You can generate a separate keypair to use exclusively for sudo authentication. The password will be the passphrase used to encrypt the private key.

To configure the pam_ssh_agent_auth module add the following to /etc/pam.d/sudo before any other auth or include directives:

auth       sufficient pam_ssh_agent_auth.so file=/etc/security/authorized_keys

You will also need to tell sudo not to drop the SSH_AUTH_SOCK environment variable by adding the following to /etc/sudoers (via visudo):

Defaults    env_keep += "SSH_AUTH_SOCK"

Now add the public portion of the key you want to act as the authentication token to /etc/security/authorized_keys. You'd probably also want to add the -t switch to ssh-add with suitable short lifetime when adding the key to have ssh-agent mimic the default sudo behavior of prompting for password confirmation if a certain time has passed since it was last entered, or even use the -c switch to trigger password confirmation each time the key is used for authentication.

Note that the default in Ubuntu is to use GNOME Keyring for SSH key management, which as far as I know doesn't currently allow key timeout to be set. You can disable SSH key management in GNOME Keyring completely by adding the following to ~/.config/autostart/gnome-keyring-ssh.desktop:

[Desktop Entry]
Type=Application
Name=SSH Key Agent
Comment=GNOME Keyring: SSH Agent
Exec=/usr/bin/gnome-keyring-daemon --start --components=ssh
OnlyShowIn=GNOME;Unity;MATE;
X-GNOME-Autostart-Phase=Initialization
X-GNOME-AutoRestart=false
X-GNOME-Autostart-Notify=true
X-GNOME-Autostart-enabled=false
X-GNOME-Bugzilla-Bugzilla=GNOME
X-GNOME-Bugzilla-Product=gnome-keyring
X-GNOME-Bugzilla-Component=general
X-GNOME-Bugzilla-Version=3.10.1
NoDisplay=true
X-Ubuntu-Gettext-Domain=gnome-keyring

which overrides /etc/xdg/autostart/gnome-keyring-ssh.desktop, the key difference being the line:

X-GNOME-Autostart-enabled=false

Related Solutions

Ssh – How to lock the own account from remote ssh login with password

You can use the Match option in sshd_config

Match Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file.[1]

So, at the end of that file you could specify:

Match User yourusername
PasswordAuthentication no

See man 5 sshd_config for all of the available options.

[1] http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&sektion=5

Ubuntu – Suddenly, I Can’t login with correct password (greeter & tty)

Problem solved.

Here are the actions I carried out before the problem got solved:

sudo ppa-purge ppa:gnome3-team/gnome3 (in order to revert back to supported gnome packages like nautilus, ...etc)
creating directory: /var/lib/samba and adding myself to samba passwords databse (sudo mkdir -p /var/lib/samba && sudo smbpasswd -a myusername
sudo pam-auth-update (all the authentication modules were already selected, so I just cliked okay).

Troubleshooting here: http://ubuntuforums.org/showthread.php?t=2115288

Best Answer

Related Solutions

Ssh – How to lock the own account from remote ssh login with password

Ubuntu – Suddenly, I Can’t login with correct password (greeter & tty)

Related Question