Disabling password for all sudo users.
by roffeboffe from LinuxQuestions.org on (#5DARF)
I am in the process of "forbidding" passwords for users with sudo access. This means they will need to login with pubkey-auth and have NOPASSWD in sudoers.
The thought behind this is that if there are no passwords, there's no hashes to steal/crack. Is this a good approach, and if not, why?
However, I will need one user with password access for access via local console. What would you choose: A user with sudo access or enabling password for root?
I will probably use a scheduled job in ansible/AWX to enforce disabled passwords to prevent users from not complying to this policy.
The thought behind this is that if there are no passwords, there's no hashes to steal/crack. Is this a good approach, and if not, why?
However, I will need one user with password access for access via local console. What would you choose: A user with sudo access or enabling password for root?
I will probably use a scheduled job in ansible/AWX to enforce disabled passwords to prevent users from not complying to this policy.