Is it possible to enable sudo for users on a smart-card-only machine?Answer:
Yes. For machines that are solely smart-card-required - the only way to do this is to set the "nopasswd
" flag for specified users.
- When the per-user "Smart card required to log in" setting is checked in ADUC (as opposed to the per-machine GP setting), the user's password is deleted from Active Directory, so no password exists to be entered.
- The ‘passwd’ flag in sudoers is set to prevent users from leaving their workstation and then another person coming and using sudo on the system.
- With smart cards, the ideal situation is whenever the user leaves the workstation; they will also take the smartcard with them (this event can be set to auto-lock the system via group policy).