Two password (factor) authentication to root user / sudo

ssh linux sudo passwords two-factor-authentication

With regards to running Linux remotely (SSH) I'd like to employ two levels of authentication for accessing the system with root privileges.

I have the root account disabled / locked out so direct access to the system is not possible with root user.

I access the system with a normal user, and then from their I can sudo. Of course, it is merely the same password to gain root privileges.

In /etc/sudoers, you can set the directive Default rootpw which will prompt for a root (second) password. However, I have the root account locked and so there is no password.

My question is, how can I have the user enter a 2nd DIFFERENT password to access the root account or to sudo?


Set a password on the root account, and set /sbin/nologin or your local equivalent as root's shell. Then set the 'Default rootpw' directive in /etc/sudoers, and you'll have what you're looking for: root won't be able to log in by any means, but will have a password set, which sudo will require sudoers to provide before letting them sudo anything.

Related

Tiger VNC on Centos 6.3 fails, font catalog not properly configured
Does OS X support disk compression?
Where'd PHP for cygwin go? Still have a copy with PHP installed? Wanna share?
cannot get elasticsearch service to run in ubuntu 17?
Applying multiple filters at once in ffmpeg
Go offline to one person only in skype?
Search structured text in Outlook body
What does "delete all disabled modules" do in Jenkins?
Always allow microphone usage in Google Chrome
What is the difference between "Send To" and "Copy or Cut and Paste" method in Windows?
Manually Deleting Windows 7/Vista Backup files
How to change name of font?