![]() ![]() It is written this way, so that it 'always succeeds' ![]() If not DB readbale (for sudo), continue, otherwise, remove the file. So that sudo continues to behave the same until you've made sure & sudo -k $ || sudo journalctl -xeĬhoice of FLAVOR (sudo, sudo-i) - I recommend you start with sudo-i & printf "%s\n" "$USER" "$( mkpasswd -m sha-512 "$PASSWD" )" \ĭb_load -Tt hash -h /var/local/sudopass passwd.db & sudo sed -E \t]+common-auth$|# default=ignore]\tpam_userdb.so crypt=crypt db=/var/local/sudopass/passwd\nauth\trequisite\t\t\tpam_deny.so\nauth\trequired\t\t\tpam_permit.so\n|' -i "/etc/pam.d/$FLAVOR" \ # sudo bash -c "] || rm /var/local/sudopass/passwd.db " # Uncomment next lin to erase existing db and start from scratch: # Flavor is either sudo or sudo-i, recommended to test only on one first I've installed db-util and whois (for mkpasswd): sudo apt -yes install db_util whois I'm not against reading, just there are time when a pure reference is required. However, I do include ALL commands for all steps taking out any guesswork or further reading. My solution isn't any different then the excellently proposed ones. But it goes as answer because of text format. In general seems that secure separate sudo password can be achieved only with aid of custom PAM module (perhaps, such module will compare password and SHA-512 hash read from file) or SELinux functionality. These issues can be eliminated by additional tuning of configuration files. Also separate password is not respected by Policy Kit (it is possible to start Synaptic using synaptic-pkexec and login password. Thus, separate password is not applicable for su (so it is possible to start root session using su and login password). But anyway, username and password stored as plain text are bad.Įven with separate sudo password there are some potential security holes (by default distro setup). Yes, it's possible to restrict permissions of /usr/local/etc/passwd.db. You can also see david and jones via mcedit: I've did the same as in your answer (but used david and jones, they look more eye-catching): # db_load -t hash -T /usr/local/etc/passwd.dbīut entered credentials are stored inside hash file as plain text: # grep 'jones.*david' /usr/local/etc/passwd.dbīinary file /usr/local/etc/passwd.db matches Thank you Shắc for the answer! That solution also works for LinuxMint 17.1 Cinnamon 32bit (I've only installed db-util package in order to run db_load).īut I am very confused with the resultant passwd.db file. password for anthony: p a s s w o r d RETURN Now, to sudo, I must use password instead of my real login password: sudo sudo echo -e '\nit worked' ![]() db off.Īccording to dannysauer in a comment, you may need to make the same edit to /etc/pam.d/sudo-i as well. db extension to the passed database, so you must leave the. Now, edit /etc/pam.d/sudo and remove the common-auth line, and instead put this in place: auth pam_userdb.so crypt=crypt db=/var/local/sudopass/passwd Very highly secure! (Unfortunately, pam_userdb seems to not support anything better than the ancient crypt(3) hashing). That hash was generated with mkpasswd -m des, using the password "password". # db5.1_load -h /var/local/sudopass -t hash -T passwd.db Inside it, I went ahead and created a password database file using db5.1_load (which is the version of Berkeley DB in use on Debian Wheezy): # umask 0027 I created the directory /var/local/sudopass, owner/group root:shadow, mode 2750. You could use e.g., pam_userdb.so instead of pam_unix.so, and store your alternate passwords in a Berkeley DB database. The non-commented-out lines in common-auth look something like (by default, this will be different if you're using e.g., LDAP): auth pam_unix.so nullok_secure You can change that common-auth line, and have PAM (and thus sudo) use an alternate password source. In other words, by default, it authenticates like everything else on the system. Sudo's config is in (at least on my Debian system) /etc/pam.d/sudo, and looks like this: $ cat common-session-noninteractive PAM supports per-application configuration. Other than that, sudo does its authentication (like everything else) through PAM. There is runaspw and targetpw as well see the sudoers(5) manpage for details. rootpw in particular will make it ask for the root password. If you want to ask for the root password, as opposed to the user's password, there are options that you can put in /etc/sudoers. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |