7

With regards to running Linux remotely (SSH) I'd like to employ two levels of authentication for accessing the system with root privileges.

I have the root account disabled / locked out so direct access to the system is not possible with root user.

I access the system with a normal user, and then from their I can sudo. Of course, it is merely the same password to gain root privileges.

In /etc/sudoers, you can set the directive Default rootpw which will prompt for a root (second) password. However, I have the root account locked and so there is no password.

My question is, how can I have the user enter a 2nd DIFFERENT password to access the root account or to sudo?

Improve this question

1 Answer 1

Reset to default
7

Set a password on the root account, and set /sbin/nologin or your local equivalent as root's shell. Then set the 'Default rootpw' directive in /etc/sudoers, and you'll have what you're looking for: root won't be able to log in by any means, but will have a password set, which sudo will require sudoers to provide before letting them sudo anything.

Improve this answer
2
  • Perfect! Didn't know about that!
    – Mike
    Commented Mar 20, 2013 at 20:19
  • Glad to be of help!
    – Aaron Miller
    Commented Mar 20, 2013 at 20:56

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .