Different SSH/Login Password From SUDO Password
Solution 1:
from man sudoers:
rootpw If set, sudo will prompt for the root password instead of the
password of the invoking user. This flag is off by default.
runaspw If set, sudo will prompt for the password of the user defined
by the runas_default option (defaults to root) instead of the
password of the invoking user. This flag is off by default.
Or you could just ban password based logins via ssh completely. Require a passphrase encrypted key for remote login. Then you are free to use the password for sudo. The relevant option is
from man sshd_config
PasswordAuthentication
Specifies whether password authentication is allowed. The default
is “yes”.
Solution 2:
are you looking for this instead in sudoers man?
targetpw If set, sudo will prompt for the password of the user
specified by the -u option (defaults to root) instead of the
password of the invoking user.
Solution 3:
How about disable password logon via SSH and allow public key logon where you can set your difficult to guess password. Then the local password can be shorter and used by sudo.
Other than that you will have to configure /etc/pam.d/sudo
to use a different (or additional) module, at first glance pam_dialpass
might allow what you need.
You could also configure LDAP configuration for one and local passwords for the other. It will all depend on how much changes you are able and willing to make, what modules are available etc.
Solution 4:
SOLUTION 1: newgrp
A simple way to address your use case would be to use :NOPASSWD
in combination with a group and group passwd:
Add a line to sudoers:
%rudo ALL=(ALL:ALL) NOPASSWD:ALL
Create a passwd protected group:
groupadd rudo
gpasswd rudo # Enter passwd
Now when you login as an unprivileged user (assuming your not already in the rudo
group), login to the rudo
group, at which point you'll be prompted for the password.
login user
newgrp rudo
Now you can run sudo
password-less, so long as you remain logged in to the group.
SOLUTION 2: runaspw
A better, possibly more secure way to do this uses runaspw
. runaspw
is associated with the runas_default
option so you have to add that option too.
Assuming you already have the default %sudo
group entry:
%sudo ALL=(ALL:ALL) ALL
add these lines to sudoers file:
Defaults:%sudo runas_default=sudo
Defaults:%sudo runaspw
Now add a new sudo
user with a password:
useradd sudo -d /nonexistent -s /usr/sbin/nologin -MNr
passwd sudo
Now sudo group users will be prompted for sudo user's passwd but only users in the sudo group will be able to sudo (unlike with the group solution above, where anyone in the group or with the group passwd could sudo).
A minor issue is the default runas user is now sudo
so to sudo as root you need to explicitly specify root:
sudo -u root <cmd>
But easy enough to define an alias (alias sudo='sudo -u root'
) or indirect sudo command.