Skip navigation

3 Comments

  1. I would actually do it the other way around — lock totally su for any other user than root and secure sudo with Google Authenticator (:

  2. Hadreta, I’d agree with you, but the Google Authenticator configuration is viewable and configurable by users once they’re logged into their accounts. Securing sudo with Google Authenticator could be easily sidestepped by a simple ‘cat ~/.google_authenticator’ without some modification.

  3. I put this in /etc/pam.d/common-auth so it affects SSH, su, and most other services. I can’t say whether it works for all PAM clients, but it does for both SSH and su.


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.