You are not logged in.
Pages: 1
I am a little tired of using sudo and typing my password in all the time, yet I wouldn't like to sacrifice security entirely on my laptop. I wonder if you have any smart solutions to that, perhaps using some pam modules? I have come across pamusb which, when used with two-factor authentication and one time pads, seems to be an acceptable solution. However, it does not seem to be maintained any more and appears to be rather niche (or is it?). Any thoughts?
Last edited by fijam (2009-04-25 12:41:40)
Offline
i guess you're aware about this but just in case...
sudo can be set up per application and can be used without password. here's my setup for example:
root ALL=(ALL) SETENV: ALL
eb blackout=/usr/bin/pacman,/usr/bin/abs,/etc/rc.d/*,/usr/bin/vim /etc/*,/usr/bin/aurbuild,/usr/bin/vim /boot/grub/menu.lst
eb blackout=NOPASSWD:/sbin/shutdown,/sbin/reboot
Offline
I am, but I'd like a tad more flexible solution. Thanks for the suggestion, though.
Offline
personally, I have bash aliases for my most common used root programs like for pacman etc..
Proud Arch i686 & x86_64 User
Share your knowledge!
Arch Linux Forum Etiquette
Offline
Open a shell, su as root and keep this shell open for every admin task you need to do.
Shaika-Dzari
http://www.4nakama.net
Offline
1) I never provide sudo with password (no need to list each app that would require this)
2) I never provide su with password
3) of course root is password protected
easy to configure and in fact these are security reasons and at the end this make stuff more comfortable. All this was discussed already several times at Arch forums.
Last edited by broch (2009-04-25 14:41:34)
Offline
1) I never provide sudo with password (no need to list each app that would require this)
2) I never provide su with password
3) of course root is password protectedeasy to configure and in fact these are security reasons and at the end this make stuff more comfortable. All this was discussed already several times at Arch forums.
I am uninterested in disabling password authentication for all sudo actions or meticulously cherry-picking privileged applications. I merely look for alternatives.
pam PKCS#11 with the appropriate hardware would be perfect but compatible smart cards are hard to get and relatively pricy. There's also pam x509 with bluetooth support - authenticating with a phone would be really nice. Does anyone have any experiences with it?
Offline
Delete your root password (passwd -d root), disable root login from sshd and you're good to go!
Offline
broch wrote:1) I never provide sudo with password (no need to list each app that would require this)
2) I never provide su with password
3) of course root is password protectedeasy to configure and in fact these are security reasons and at the end this make stuff more comfortable. All this was discussed already several times at Arch forums.
I am uninterested in disabling password authentication for all sudo actions or meticulously cherry-picking privileged applications. I merely look for alternatives.
pam PKCS#11 with the appropriate hardware would be perfect but compatible smart cards are hard to get and relatively pricy. There's also pam x509 with bluetooth support - authenticating with a phone would be really nice. Does anyone have any experiences with it?
sudo access is limited to trusted users (as in the case of smart cards), same goes with su access. If untrusted user get smart card he will have also system wide access.
The point of using efficiently smart cards is to give users access to specific rights. In your case (assuming single user) this really gives no advantage.
passwordless su/sudo is in fact more secure than using password as each time you enter password you transmit it. Opensuse had nice bug that allowed users with limited rights to get su password with simple echo.
What I am suggesting is that you need a trusted user group that has access to su/sudo and configured pam so trusted group will run these without password. Administrative advantage is that removing user from trusted group removes also user access to the privileged tasks.
smart cards really shine when:
1) remote access is required
2) when giving users elevated rights to specific tasks.
however this requires a lot of work to set
Delete your root password (passwd -d root), disable root login from sshd and you're good to go!
what this has to do with sudo or su?
Offline
Pages: 1