[sudo-users] Avoid to input the password twice at login time

Daniele Palumbo daniele at retaggio.net
Tue Sep 13 16:15:38 MDT 2022


We are into a scenario where the company would require (setting taken from CIS) to always use `authenticate` option for humans.

At the same time, `timestamp_timeout` is allowed.

As use case, this is making sense if someone always prepend sudo when an admin command must be executed (let's say, "Ubuntu style").

I wish to configure the OS (speaking of Linux, hopefully this works for other OS) as follows:
1) who is logging in via ssh keys (not a password, not controllable) will be required to input the password after the login, 
2) Who is logging in via password (eg LDAP, local user) will have the password cached.

Is it doable as of today?

If not, could make sense to have a sudo pam module which check if a password has been used (this is known by pam) and if so store it in the sudo cache?

Thank you very much,

More information about the sudo-users mailing list