LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 01-26-2021, 06:19 AM   #1
roffeboffe
LQ Newbie
 
Registered: Nov 2020
Location: Fredrikstad, Norway
Distribution: Ubuntu/Debian/CentOS/RedHat
Posts: 7

Rep: Reputation: Disabled
Disabling password for all sudo users.


I am in the process of "forbidding" passwords for users with sudo access. This means they will need to login with pubkey-auth and have NOPASSWD in sudoers.

The thought behind this is that if there are no passwords, there's no hashes to steal/crack. Is this a good approach, and if not, why?

However, I will need one user with password access for access via local console. What would you choose: A user with sudo access or enabling password for root?

I will probably use a scheduled job in ansible/AWX to enforce disabled passwords to prevent users from not complying to this policy.
 
Old 01-26-2021, 06:59 AM   #2
MadeInGermany
Senior Member
 
Registered: Dec 2011
Location: Simplicity
Posts: 1,630

Rep: Reputation: 736Reputation: 736Reputation: 736Reputation: 736Reputation: 736Reputation: 736Reputation: 736
IMHO sudo does not place cached passwords. There is no increased risk.
On the other hand, the password increases safety: a malicious tool or Website via browser can try to inject a sudo command. If successful, the interactive password is another barrier.
 
Old 01-26-2021, 07:09 AM   #3
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 5,443
Blog Entries: 3

Rep: Reputation: 2711Reputation: 2711Reputation: 2711Reputation: 2711Reputation: 2711Reputation: 2711Reputation: 2711Reputation: 2711Reputation: 2711Reputation: 2711Reputation: 2711
The interactive password is a good second barrier. Using SSH keys or SSH certificates for login is a great idea.

Code:
Match Group sudo
       PasswordAuthentication no
It is also possible to require both keys and passwords for login, in that order:

Code:
Match Group sudo
       AuthenticationMethods publickey,password
See "man sshd_config"

Then the password could be required again to use sudo.
 
Old 02-04-2021, 10:12 PM   #4
jdrosales
LQ Newbie
 
Registered: Feb 2020
Location: Virginia, USA
Distribution: Ubuntu
Posts: 17
Blog Entries: 1

Rep: Reputation: 3
As a security-paranoid system administrator I would recommend you to use publickey as the only method to log into your server, and enforce the use of passwords when using the 'sudo' command.

I can't devise in my mind a scenario where I would do any other way.
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Audit ALL Sudo users and show the users UID( ) not root's UID (0) fat01 Linux - Security 1 10-13-2020 01:16 AM
Disabling your sudo password Fixit7 Ubuntu 5 02-11-2017 05:10 PM
LXer: The Ultimate Sudo FAQ To Sudo Or Not To Sudo? LXer Syndicated Linux News 13 04-13-2013 02:36 AM
Unable to redirect all sudo messages to /var/log/sudo driftwood Linux - Server 2 10-18-2012 05:34 AM
[SOLVED] sudo password different from non-sudo password edrom Linux - Newbie 2 04-20-2012 04:00 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:37 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration