[Feature] Force second device for sudo

mcdope / pam_usb

Hardware authentication for Linux using ordinary flash media (USB & Card based).

GNU General Public License v2.0

185 stars 20 forks source link

[Feature] Force second device for sudo #223

Open mcdope opened 8 months ago

mcdope commented 8 months ago

Understood

Yes, this is not a bug report / support request

Text

When #31 is done, it would be possible to implement a way to force a second device for sudo usage.

Example usecase: Office, School etc having usb keys for each user. Each user sometimes need to use sudo, like for example installing software. Admin could then visit the users desk, plug the sudo stick in, user runs command(s), admin walks away with his stick again. Or a shared family computer etc.

mcdope commented 1 month ago

How to implement:

<device> in <user> should have an attribute sudo, if present require this device for su(do) request

todo: check if this should be used for polkit or like that.

mcdope commented 1 month ago

Better idea: <option id="sudo_device">DeviceName</option> in <user> or global.

if global it would basically disallow sudo for users not having the sudo device configured though.

mcdope commented 1 month ago

Or put a <device> in <service id="sudo"> ?

Guess this is the best idea, because it doesn't restrict the feature to sudo

mcdope commented 3 weeks ago

todo: [ ] Modifiy opts->device_list to have sudo attribute [ ] Modifiy pusb_device_connected to only iterate devices having the attribute