Two password (factor) authentication to root user / sudo

With regards to running Linux remotely (SSH) I'd like to employ two levels of authentication for accessing the system with root privileges.

I have the root account disabled / locked out so direct access to the system is not possible with root user.

I access the system with a normal user, and then from their I can sudo. Of course, it is merely the same password to gain root privileges.

In /etc/sudoers, you can set the directive Default rootpw which will prompt for a root (second) password. However, I have the root account locked and so there is no password.

My question is, how can I have the user enter a 2nd DIFFERENT password to access the root account or to sudo?


Set a password on the root account, and set /sbin/nologin or your local equivalent as root's shell. Then set the 'Default rootpw' directive in /etc/sudoers, and you'll have what you're looking for: root won't be able to log in by any means, but will have a password set, which sudo will require sudoers to provide before letting them sudo anything.