[Tutorial] Separate PIN and sudo passwords

Introduction:
It’s a feature people asked for years. We enter our usually simple PIN in public spaces with lots of cameras that become better each year or where other people may watch like in public transports from the seat behind. If you forget or lose your phone and someone saw your PIN (maybe there are also fingerprints the PIN-numbers), people also have access to the whole system to install malware or whatever. To limit the potential access to the user space, we need to separate sudo password from PIN. Since I became a better Linux user, I felt it’s time to dig into that issue and so I found a good solution.

The user account password aka PIN stays untouched. Sudo itself can also not be changed, but it uses pam.d, which is configurable. Pam.d is a service that checks password conditions and how to handle them (like giving 3 attempts). So we can create a new password and connect it with the sudo application via pam.d.

Before I start, here is a warning:
You can lose sudo access or weaken your system security, so make everything with care. You will do everything on your own risk. I will give some hints to avoid un-redo-able changes and vulnerabilities. But it is the best you backup the whole system before start or just do it on a fresh flashed system.
I tested it on a fresh installed Mobian, but it should also work on every PureOS device. When I made a proper backup I will also do it with my daily driver. I don’t know how much PostmarketOS is different, so be more carefully there and do some own research if needed.

Setup required tools:
So, after the dangerous sounding words, here is the Tutorial. What applications do we need?

1. A hash generating application, I used mkpasswd.
2. To store the password we need db-util.
3. I used nano to edit a text file with root access, you can also use similar tools.

To install these in one command: sudo apt install whois db-util nano

Setup Password:
In the first part, we need to create new login credentials for sudo. This part is not dangerous, but can break things after the second part is applied. So attention please. First you need a new sudo password. The password is stored as hash. Before you do the next command, read the next hint, too. Type mkpasswd -m sha-512 [password] and replace [password] the new one you want to use. The terminal outputs a long chain of sign you need to copy later. Usually the terminal writes a history and since you type in your password in plain text, it would appear in ~/.history. To prevent this, type a space sign before the actual command. The space I wrote above was with purpose and not an accident. Removing it from history file may not removing it from disk until it is overwritten, so better not writing it to disk at all.

Next we need to create the folder where to store it.
Creating folder: sudo mkdir /var/local/sudopasswd
And now we make it secure, that nobody without root access can open it:
Setting owner: sudo chown root sudopasswd/
Setting group: sudo chgrp shadow sudopasswd/
Setting rights: sudo chmod 2750 sudopasswd (see here for details)

Now it’s time to store the data. You need to login as root via sudo su, otherwise you cannot access the folder anymore. Open the folder: cd /var/local/sudopasswd. Now we setting very specific permissions via umask 0027, see this page for details. Next we create the file via db_load -t hash -T passwd.db. The terminal keeps an empty line and is expecting entries. So type in your user name (same as you find as folder in /home/) → enter. Again an empty row, so type in your hash password. It is the long thing you created previously with mkpasswd, so now copy it in. On next empty row, just hit Ctrl+D to close the db-util.

Connecting password with sudo:
Open the pam.d folder via cd /etc/pam.d/. Do not close the root account, yet. If you have done it, open it again. While you just need sudo rights for this part, I highly recommend to stay on root. If you mess up this part, you can fix it as long as you keep root running. You need to reenter sudo after some time (I think 15 min sudo-inactivity by default) and if you cannot run sudo, you cannot fix what you have done, so stay on root. You also should keep an eye on battery, just in case.

Backup your sudo-file with cp sudo sudo_backup.

Open the sudo-file with nano sudo. Remove the single line @include common-auth and replace it with:

auth    [success=1 default=ignore]      pam_userdb.so crypt=crypt db=/var/local/sudopasswd/passwd
auth    requisite                       pam_deny.so
auth    required                        pam_permit.so

Save your work with Ctrl+O. If you have done everything correctly, your new password should be applied.

Finishing setup:
To test your setup, open a new tab on your terminal without closing root account! On the new tab, try out a sudo command like sudo apt update. Try out your old password, it should not work anymore. Try out your new password you wrote into the mkpasswd-command. If you have done everything correctly, sudo is accepted. If it fails, look if you have done everything as I wrote. Check out the directories and file names, check out if the hash is written correctly into passwd.db. You can recreate the db-file if you think it is not correct.

If you want to revert the change, switch to the tab with root access and type in cp sudo_backup sudo (make sure you are in the right directory, otherwise add the path to both files).

If everything works as expected, you should do the same used on sudo-file to the sudo-i-file to remove left security holes. After this you can clean up your install and delete the backup-file(s) with rm sudo_backup and rm sudo-i_backup if you created this, too. Logout from root via exit.

Changing password again:
You can change your root password as often as you wish. Just generate the hash with mkpasswd -m sha-512 [password] again and recreate the /var/local/sudopasswd/passwd.db again with the db_load command, as described above.

Some final words:
All these things could be done in a single script, but since it is that critical, I do not want everyone just copy pasting it and maybe messing up with something. People who think they have not the skills yet to follow my tutorial should probably not try yet. And for all others it is better to learn about Linux than just copying stuff they do not understand.

I wish it will be included into mobile settings app or something similar, but before I request it, I want to have some feedback of people which are maybe more experienced than I am.

Thanks for this, should be helpful. Ideally I’d love to see separate PIN/password in core PureOS where the sudo password is the user password and the PIN is elsewhere (perhaps it belongs to a service user). But this is a good stopgap.

Given @Ick’s sterling work with sudo and PAM, it is possible that this is actually achievable, as an alternative approach.

however another approach is to specify just mkpasswd -m sha-512 and let it prompt you for the password.

If you do lose sudo access then one approach for recovery is to boot Jumpdrive and reverse the change from another computer.

What I forget to mention, do the same changes of sudo-file also to sudo-i-file. As far as I understand it is probably used for sudo -i commands, which also gives root access.

Good to know, but the space should work with any command - it’s a history-feature itself. But your approach can be time-saving if repeating the command.

True, but I did not expect everyone knows how to jumpdrive and it’s better anyway to avoid anything that breaks the system to that point where jumpdrive is needed. Btw as side note, potential attackers cannot jumpdrive if you use LUKS.

3 posts were split to a new topic: First unlock

Indeed. (Technically, it is a shell history control option, so there is no guarantee that it will work for any other user. But let’s say we assume that the user has this option enabled …)

My concern is though that, even with an explicit warning provided by you, the need for the space may get overlooked and, with cutting-and-pasting of commands from the forum, the space may get dropped out.

Just for fun … you can use e.g. HISTIGNORE=mkpasswd* permanently (e.g. in .bashrc) in order to keep that specific command out of the history, and that colon-separated list of glob patterns would benefit from including a few other commands.

Cool command.

Sorry irvinewade. I made a warning at the very begin to make sure people read carefully, I wrote extra lines to show where they should keep attention and if someone still just copy paste everything, not keeping attention, it is not our fault anymore. I cannot and don’t want to safe people against their own more than I did. You know, it’s also our freedom to do stupid things.