Set sudo password differently from login one
If you want to ask for the root password, as opposed to the user's password, there are options that you can put in /etc/sudoers
. rootpw
in particular will make it ask for the root password. There is runaspw
and targetpw
as well; see the sudoers(5) manpage for details.
Other than that, sudo does its authentication (like everything else) through PAM. PAM supports per-application configuration. Sudo's config is in (at least on my Debian system) /etc/pam.d/sudo
, and looks like this:
$ cat sudo
#%PAM-1.0
@include common-auth
@include common-account
@include common-session-noninteractive
In other words, by default, it authenticates like everything else on the system. You can change that @include common-auth
line, and have PAM (and thus sudo) use an alternate password source. The non-commented-out lines in common-auth look something like (by default, this will be different if you're using e.g., LDAP):
auth [success=1 default=ignore] pam_unix.so nullok_secure
auth requisite pam_deny.so
auth required pam_permit.so
You could use e.g., pam_userdb.so
instead of pam_unix.so
, and store your alternate passwords in a Berkeley DB database.
example
I created the directory /var/local/sudopass
, owner/group root:shadow
, mode 2750
. Inside it, I went ahead and created a password database file using db5.1_load
(which is the version of Berkeley DB in use on Debian Wheezy):
# umask 0027 # db5.1_load -h /var/local/sudopass -t hash -T passwd.db anthony WMaEFvCFEFplI ^D
That hash was generated with mkpasswd -m des
, using the password "password". Very highly secure! (Unfortunately, pam_userdb seems to not support anything better than the ancient crypt(3)
hashing).
Now, edit /etc/pam.d/sudo
and remove the @include common-auth
line, and instead put this in place:
auth [success=1 default=ignore] pam_userdb.so crypt=crypt db=/var/local/sudopass/passwd
auth requisite pam_deny.so
auth required pam_permit.so
Note that pam_userdb adds a .db
extension to the passed database, so you must leave the .db
off.
According to dannysauer in a comment, you may need to make the same edit to /etc/pam.d/sudo-i
as well.
Now, to sudo, I must use password
instead of my real login password:
anthony@sudotest:~$ sudo -K anthony@sudotest:~$ sudo echo -e '\nit worked' [sudo] password for anthony: passwordRETURN it worked
For Redhat/Centos, the requirement can be achieved with following steps:
Create custom user and pass:
# db_load -t hash -T /usr/local/etc/passwd.db
user
pass
^d
Edit the sudo pam.d file so that it looks like:
$ cat /etc/pam.d/sudo
auth required pam_userdb.so db=/usr/local/etc/passwd
account required pam_userdb.so db=/usr/local/etc/passwd
password include system-auth
session optional pam_keyinit.so revoke
session required pam_limits.so
Im still looking for the way to config, so that only a certain user/group must be authen by this custom method, others still can be authen by the normal system-auth method. Can anyone give me some advises?
I don't think sudo supports such a setup. The purpose of the sudo password prompt is to ensure that the person issuing the sudo command is the same person that is logged in, and the easiest way to do that is to ask for the currently logged in user to re-authenticate themselves.
In other words, the purpose of the sudo password prompt is not to establish authority, it is to establish identity. Based on the established identity and the sudo configuration, a decision can be made whether the user in question has the necessary authority or access rights.