Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-4878: Configuring sudo to work with smart cards on OS X

12 April,16 at 11:17 AM

Applies to: Centrify DirectControl 5.x on Mac OS X
 
Question:
 
How can sudo be configured in order to work with smart card authentication on OS X workstations?
 
Answer: 
 
Currently, the only way for sudo to work with smart cards on OS X is to edit the sudoers file with the "nopasswd" flag located at: /etc/ 

     1.) Open up Terminal.app (Located in /Applications/Utilities/Terminal.app)
     
     2.) Type 'sudo visudo'  **Note: This file MUST be edited with the 'visudo' command as root.  Failure to use the 'visudo' may result in syntax or file permission errors that prevent sudo
           from running.

     3.) Use the down arrow key to navigate to the section with this header: "# User privilege specification" for user modification, or "# Same thing without a                  password" for  group modification.
   
      ​User-added image
   
     4.) Set the "nopasswd" flag for each group and/or user that you want to allow sudo without a password.
 
          4a.) In the example below, anyone in the "admin" group can use sudo without a password.  Also, the user "user.name" will be allowed to use sudo without a password.  Anyone in the                          "wheel" group will still have to specify a password in order to use sudo.
 
             User-added image
     
     5.) Press the ctl key and the c key on the keyboard simultaneously (ctl+c) 
     6.) Type :wq  and press the enter key to exit visudo and save changes

Note 1: In the above mentioned edit to the sudoers file, ONLY members of the admin group with administrator rights on the local machine will be able to use the sudo command without a password.  This does not pose a security threat for unauthorized users being able to use the sudo command.  

For example: In one user per computer cases, only the local admin and the Active Directory user will be able to use sudo without a password, as long as the AD user has administrator rights to the machine.

In order to give an individual Active Directory user local administrator rights to a computer please see:

​KB-2684: How to make an individual AD user into a Local Admin on Mac OS X without using Group Policies.


Note 2: These groups can be configured with Centrify group policy using the Computer Settings> Centrify Settings> Common UNIX Settings policy.  The context for the policy is the same as the sudoers file: %admin  ALL=(ALL) NOPASSWD: ALL

User-added image





 

 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.