This is like the nuclear launch code thing.
You need two sets of keys.
The suggestion of a two stage sudo sounds
good.
%group1 ALL=(root2)
%group2 ALL=(root1)
root2 ALL=(ALL) ALL
root1 ALL=(ALL) ALL
group1 doesn't know root2's password
group2 doesn't know root1's password
You might want to turn off the cached
sudo authentication. (timestamp_timeout=0)
Someone has to set this up though. They have to
be trusted.
Another might be to find / hack up a PAM module
to require two passwords. sudo uses pam.
Another is http://www.pamusb.org/. One mob has
the key and the others have the password. I don't
think this one is really workable.
In the 'not answering your specific question dept':
A possible solution this problem of mistrust
is to use 'sudosh'. This is a shell which syslogs
all keystrokes made while sudo'd to a root shell.
Not sure how it works and never used it, but it
might be worth looking in to.
Matt
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
