i do not use the root account at all, the system its self is physically secure and the only access to sudo is my account that i only access via 2 remote computers over ssh/pubkey
ssh password is disabled. i have wanted to weaken my sudo password for ease of use as the access requires pubkey.
am i missing anything???
I guess it depends on what you need to use it for. If you only really use a handful of elevated commands you could set these to be usable without a password but require a password for any other elevated function.
You have a couple of other options other than using NOPASSWORD in the sudo config.
If you are concerned about ease of use, but don’t want to use root and don’t want to configure nopassword, and dont want to type it in all the time, you could get something like a yubikey and set a static password on it. one press = password entered.
You could not bother with sudo at all, and just use root for your elevated privileges.
You could just set your user to run any elevated command via sudo without a password.
^^^ This above will suffice for most user case scenarios not requiring a ridiculous amount of “security.”
Thanks, i didint know this was a option. really its just annoying that apt-get upgrade needs sudo.
So um, as long as the machine is physically secure, you could have a pass of “1234” and everything will be ok?
Partially. If the physical machine is secure a password on the account is less of an issue, but in this case its connected to the internet, @kenkoda is protecting his account with ssh keys so only the person with the right key can access the system without a password, and password login on his machine is disabled.
Once your on the system passwords are usually still needed for certain things like sudo. But as hes the only person who could connect to it it isn’t necessarily an issue to put some sudo rules in to allow commands without a password for example.
the root account should still have a strong password, an example of using a yubikey might be useful or password manager so you can keep it safe and wont forget it.
If you use KeePass you can use a file as the key for password unlock. You just have to toss the file on a USB stick, and regenerate it every few months.