On Tuesday 07 August 2018 15:08:34 Nemeth Gyorgy wrote: > 2018-08-07 14:50 keltezéssel, The Wanderer írta: > > But it's more secure to require a second password to do elevated > > things than to permit doing those things with the same password as > > is used for ordinary activities. > > Then use other pam backend module for sudo and not the 'common-auth'. > There are lot of pam auth methods. You only have to create a second > database which is supported by some of the libpam modules and modify > /etc/pam.d/sudo > > In this case you still don't have to share a common root password > (which is really bad) and can require a second password for doing > elevated things.
How to do that should be written up and published at a google findable site as this idea seems to offer an additional layer of security. But one that you can still remember w/o painting it on the wall. I have one jessie machine that has a long root pw, but sudo hasn't needed a pw since a long time. Nor does it advise you in the shell prompt that its a sudo -i empowered shell, and that bothers the hell outta me. Haveing sudo ask for yet a 3rd password phrase of 60 or more chars (with no objections to a word separating space here and there) to become active seems like a good thing for security. -- Cheers, Gene Heskett -- "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) Genes Web page <http://geneslinuxbox.net:6309/gene>
