10

I am running a single-user Ubuntu install.

When I enter the password to unlock my screen after suspend/timeout, it is the same password I use for sudo - my user password. Is there any way for me to set a different, weaker password for unlocking from sleep, so it's safe to give it to friends that, for example, are reading something on my computer and forget to wiggle the mouse without me having to give them potential root access if they decided to?

The only reason I even have a lock screen is so little siblings won't hit random keys and mess up my work when I forget and leave for a minute, so lockscreen "security" is totally a non-issue.

I am using GDM / Gnome 3.16 on Ubuntu 15.04.

I need to add that removing my login account from sudoers and using another account for sudo-related work is not a solution that I can consider.

Robbie Wxyz
  • 347
  • 1
  • 3
  • 21
  • If they are on it why not just disable the lock? Also, if they have physical access they can change the password. – Tim May 05 '15 at 18:16
  • Yea, that's an option, but sometimes I forget to it's already asleep and I want them to check something. Also, the only reason I use a lockscreen is because otherwise little kids will mess up everything. – Robbie Wxyz May 05 '15 at 18:18
  • Hmm good points. Okay, you could disable your account being root, then add a root password to the root account? http://askubuntu.com/a/490747/186134 – Tim May 05 '15 at 18:19
  • @Tim A few other places said something about PAM's per-app configuration ability, but didn't give details. After fiddling, I haven't gotten anywhere. Do you know anything about PAM? – Robbie Wxyz May 06 '15 at 03:57
  • Nothing sorry... :/ – Tim May 06 '15 at 15:37
  • Sorry, maybe I'm missing something, but couldn't you just do it the other way around? I.e. disable the lock and lock the screen when needed (i.e. when leaving the workstation to avoid the siblings messing things up)? – kos Oct 09 '15 at 17:58
  • @kos the thing is that I often don't know if it'll be two seconds or two hours. It's a laptop and I shut it either way for safety. – Robbie Wxyz Oct 09 '15 at 20:14
  • What do you mean? What I meant is: 1. You're with your friends: the lock is disabled, so no problem. 2. You're not with your friends and have to leave the workstation: Ctrl+Alt+L and the screen is locked (with your password), and you're free to go. – kos Oct 09 '15 at 20:20
  • 3
    [check this link](http://askubuntu.com/questions/258049/use-one-password-for-administration-and-another-for-system-login) . It deals with exactly your issue and has an accepted solution. – Amit Oct 09 '15 at 20:22
  • @Amit wow! that worked perfectly. I really wish I could split the bounty between you and AaronD. – Robbie Wxyz Oct 09 '15 at 20:43
  • Glad it worked for you. Since the question was not marked duplicate, I am copying the above comment to answer and perhaps it can be marked solved. Just so that its no longer an open question. – Amit Oct 09 '15 at 20:49
  • @Amit great. It'd be good to flesh out the answer a bit to explain that `/etc/pam.d/gdm-password` should be edited instead of `/etc/pam.d/sudo`. And please do upvote AaronD. – Robbie Wxyz Oct 09 '15 at 20:52
  • @SuperScript I upvoted the answer. I am not too sure about editing gdm-password. On my machine I could not find /etc/pam.d/gdm-password file, only /etc/pam.d/sudo .. So I just mentioned the link. That's all. May be you could add what worked for you under the same link, so the next person who searches would have both your steps in 1 place . – Amit Oct 09 '15 at 21:00

1 Answers1

1

Gnome/GDM (through PAM) normally use your user account info defined in /etc/passwd and /etc/shadow.

You are (I am) correct that the configuration files in /etc/pam.d/* are how the configuration is done, but first, you need to create a new passwd file with your desired lock screen password. This great answer by @AaronD (please do upvote him) has details on how to do that using htpasswd editor.

Once you have created that alternative passwords file, save it to /etc/gdm.passwd (or somewhere) and add this line to the beginning of /etc/pam.d/gdm-password:

auth     required  pam_pwdfile.so pwdfile /etc/gdm.passwd

where /etc/gdm.passwd is the path where you saved the passwd file. And comment out the system-local-login line that follows. This switches the required authentication from pulling from normal local account to your new configuration.

No restarting or anything should be required, just save that file and Super+L to test it out!

This is just a compliation of the procedure that worked out for me. All credit to @AaronD and @Amit.

Community
  • 1
Robbie Wxyz
  • 347
  • 1
  • 3
  • 21