Set a different passwords for unlock and sudo [duplicate]
I am running a single-user Ubuntu install.
When I enter the password to unlock my screen after suspend/timeout, it is the same password I use for sudo
- my user password. Is there any way for me to set a different, weaker password for unlocking from sleep, so it's safe to give it to friends that, for example, are reading something on my computer and forget to wiggle the mouse without me having to give them potential root access if they decided to?
The only reason I even have a lock screen is so little siblings won't hit random keys and mess up my work when I forget and leave for a minute, so lockscreen "security" is totally a non-issue.
I am using GDM / Gnome 3.16 on Ubuntu 15.04.
I need to add that removing my login account from sudoers and using another account for sudo-related work is not a solution that I can consider.
Gnome/GDM (through PAM) normally use your user account info defined in /etc/passwd
and /etc/shadow
.
You are (I am) correct that the configuration files in /etc/pam.d/*
are how the configuration is done, but first, you need to create a new passwd
file with your desired lock screen password. This great answer by @AaronD (please do upvote him) has details on how to do that using htpasswd editor.
Once you have created that alternative passwords file, save it to /etc/gdm.passwd
(or somewhere) and add this line to the beginning of /etc/pam.d/gdm-password
:
auth required pam_pwdfile.so pwdfile /etc/gdm.passwd
where /etc/gdm.passwd
is the path where you saved the passwd file. And comment out the system-local-login
line that follows. This switches the required authentication from pulling from normal local account to your new configuration.
No restarting or anything should be required, just save that file and Super+L to test it out!
This is just a compliation of the procedure that worked out for me. All credit to @AaronD and @Amit.