[sudo-users] LDAP Password Security
Todd C. Miller
Todd.Miller at sudo.ws
Tue Apr 7 08:50:53 MDT 2020
On Tue, 07 Apr 2020 14:25:34 -0000, LE BOUTER Leo wrote:
> I was comparing sudo to how SSO would work on the web.
> SSO on the web uses an Identity Server that only gives a service
> specific temporary token, not the user's password. Here, users
> have to give their password to each server that has sudo installed.
On most systems, sudo uses PAM for authentication. You can configure
it to use a different authentication method by editing the sudo PAM
configuration. Usually this is stored in /etc/pam.d/sudo.
There are a variety of PAM modules that support different SSO
schemes. For example, pam_totp can be used with time-based one-time
password systems.
Sudo 1.9.0 will support an additional approval plugin which could
be used to implement separate authentication or approval schemes,
but I think you can achieve what you want with just the PAM
configuration.
- todd
More information about the sudo-users
mailing list