Running sudo with pam.d
 

Hi guys,

Need some advice.

I'm playing around with centralizing my Linux logins. Currently I have pam.d/ssh setup to reference a list file over nfs. This allows me to control who can and can't login to my boxes from a central location.

My next step is to sudo enable those accounts. Anyone done any work similar to this before? Any advice is much appreciated.

Have you configured the sudo file already?

visudo

and if you don't want them to type a password when they type
sudo /bin/su
you can use !authenticate to the default specification

I do not consider "an NFS-shared list" to be in any way secure.

Consider using OpenLDAP or a similar shared-security server protocol of known robustness. These will allow you to efficiently administer multiple systems .. including dissimilar types of systems.

The mechanism for handling this authorization on your Linux box will still be PAM, in the sense that Linux asks PAM a question and PAM applies its rules to get an answer. But the ruleset will be different: perhaps in addition to other authentication methods, PAM will query LDAP.