But it goes as answer because of text format. In general seems that secure separate sudo password can be achieved only with aid of custom PAM module (perhaps, such module will compare password and SHA-512 hash read from file) or SELinux functionality. These issues can be eliminated by additional tuning of configuration files. Also separate password is not respected by Policy Kit (it is possible to start Synaptic using synaptic-pkexec and login password. Thus, separate password is not applicable for su (so it is possible to start root session using su and login password). But anyway, username and password stored as plain text are bad.Įven with separate sudo password there are some potential security holes (by default distro setup). Yes, it's possible to restrict permissions of /usr/local/etc/passwd.db. You can also see david and jones via mcedit: I've did the same as in your answer (but used david and jones, they look more eye-catching): # db_load -t hash -T /usr/local/etc/passwd.dbīut entered credentials are stored inside hash file as plain text: # grep 'jones.*david' /usr/local/etc/passwd.dbīinary file /usr/local/etc/passwd.db matches Thank you Shắc for the answer! That solution also works for LinuxMint 17.1 Cinnamon 32bit (I've only installed db-util package in order to run db_load).īut I am very confused with the resultant passwd.db file. password for anthony: p a s s w o r d RETURN Now, to sudo, I must use password instead of my real login password: sudo sudo echo -e '\nit worked' db off.Īccording to dannysauer in a comment, you may need to make the same edit to /etc/pam.d/sudo-i as well. db extension to the passed database, so you must leave the. Now, edit /etc/pam.d/sudo and remove the common-auth line, and instead put this in place: auth pam_userdb.so crypt=crypt db=/var/local/sudopass/passwd Very highly secure! (Unfortunately, pam_userdb seems to not support anything better than the ancient crypt(3) hashing). That hash was generated with mkpasswd -m des, using the password "password". # db5.1_load -h /var/local/sudopass -t hash -T passwd.db Inside it, I went ahead and created a password database file using db5.1_load (which is the version of Berkeley DB in use on Debian Wheezy): # umask 0027 I created the directory /var/local/sudopass, owner/group root:shadow, mode 2750. You could use e.g., pam_userdb.so instead of pam_unix.so, and store your alternate passwords in a Berkeley DB database. The non-commented-out lines in common-auth look something like (by default, this will be different if you're using e.g., LDAP): auth pam_unix.so nullok_secure You can change that common-auth line, and have PAM (and thus sudo) use an alternate password source. In other words, by default, it authenticates like everything else on the system. Sudo's config is in (at least on my Debian system) /etc/pam.d/sudo, and looks like this: $ cat common-session-noninteractive PAM supports per-application configuration. Other than that, sudo does its authentication (like everything else) through PAM. There is runaspw and targetpw as well see the sudoers(5) manpage for details. rootpw in particular will make it ask for the root password. root command prompt in this case normally would display #.If you want to ask for the root password, as opposed to the user's password, there are options that you can put in /etc/sudoers. To run these commands, first su to an account that allows them to run eg. Normally the command prompt displays $ and sudo commands may not run it won't even accept the Admin or root passwords. The sudo commands can also be run when logged in to an Admin account, after entering su or su root in Terminal. When done, you may log back into your Admin account and Disable Root User. The sudo commands should work from this account. Log out of your current account, and log into the root account via username: root Then from Edit menu -> Enable Root User, then enter some password. It can also be accessed via Menu bar: Apple -> System Preferences -> Accounts -> Login Options -> Join - > Open Directory Utility. Mine was located at /System/Library/CoreServices. If you are able to log in to an Admin account to your iMac, access Directory Utility and 'click the lock to make changes'. You'll just get an error that password is incorrect, even if you enter your current Admin password. Sudo passwd root command will NOT work unless Root User is enabled. "Change Root Password" is only available if Root User is enabled.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |