Different SSH/Login Password From SUDO Password

linux debian sudo login password-management

Solution 1:

from man sudoers:

rootpw          If set, sudo will prompt for the root password instead of the
                password of the invoking user.  This flag is off by default.

runaspw         If set, sudo will prompt for the password of the user defined
                by the runas_default option (defaults to root) instead of the
                password of the invoking user.  This flag is off by default.

Or you could just ban password based logins via ssh completely. Require a passphrase encrypted key for remote login. Then you are free to use the password for sudo. The relevant option is

from man sshd_config

 PasswordAuthentication
         Specifies whether password authentication is allowed.  The default
         is “yes”.

Solution 2:

are you looking for this instead in sudoers man?

   targetpw        If set, sudo will prompt for the password of the user
                   specified by the -u option (defaults to root) instead of the
                   password of the invoking user.

Solution 3:

How about disable password logon via SSH and allow public key logon where you can set your difficult to guess password. Then the local password can be shorter and used by sudo.

Other than that you will have to configure /etc/pam.d/sudo to use a different (or additional) module, at first glance pam_dialpass might allow what you need.

You could also configure LDAP configuration for one and local passwords for the other. It will all depend on how much changes you are able and willing to make, what modules are available etc.

Solution 4:

SOLUTION 1: newgrp

A simple way to address your use case would be to use :NOPASSWD in combination with a group and group passwd:

Add a line to sudoers:

%rudo   ALL=(ALL:ALL) NOPASSWD:ALL

Create a passwd protected group:

groupadd rudo
gpasswd  rudo # Enter passwd

Now when you login as an unprivileged user (assuming your not already in the rudo group), login to the rudo group, at which point you'll be prompted for the password.

login user
newgrp rudo

Now you can run sudo password-less, so long as you remain logged in to the group.

SOLUTION 2: runaspw

A better, possibly more secure way to do this uses runaspw. runaspw is associated with the runas_default option so you have to add that option too.

Assuming you already have the default %sudo group entry:

%sudo   ALL=(ALL:ALL) ALL

add these lines to sudoers file:

Defaults:%sudo  runas_default=sudo
Defaults:%sudo  runaspw

Now add a new sudo user with a password:

useradd sudo -d /nonexistent -s /usr/sbin/nologin -MNr
passwd sudo

Now sudo group users will be prompted for sudo user's passwd but only users in the sudo group will be able to sudo (unlike with the group solution above, where anyone in the group or with the group passwd could sudo).

A minor issue is the default runas user is now sudo so to sudo as root you need to explicitly specify root:

sudo -u root <cmd>

But easy enough to define an alias (alias sudo='sudo -u root') or indirect sudo command.

Related

VirtualBox shared folder write permission - Ubuntu 12.04
Remove contextual "Find in Dictionary" from Mac OSX options
Which Allocation Unit Size do I have to choose for my SDHC card?
How does Microsoft Remote Desktop Manager encrypt passwords?
How can I close a Google Chrome profile?
Only show changed files while syncing from ext4 to NTFS
Can autofill in Chrome be reduced to single fields
How can I have a Windows 7 VMware guest without mouse support?
Take a regular Windows 7 clone with clonezilla (device-to-image) partition only
Screen Casting using ffmpeg (too fast)
Windows 8 not showing 5GHz networks
100% reliable directory copy on Windows systems (NTFS)