Applies to: Centrify DirectControl 5.x on Mac OS X
How can sudo be configured in order to work with smart card authentication on OS X workstations?
Currently, the only way for sudo to work with smart cards on OS X is to edit the sudoers file with the "nopasswd" flag located at: /etc/
1.) Open up Terminal.app (Located in /Applications/Utilities/Terminal.app)
2.) Type 'sudo visudo' **Note: This file MUST be edited with the 'visudo' command as root. Failure to use the 'visudo' may result in syntax or file permission errors that prevent sudo
3.) Use the down arrow key to navigate to the section with this header: "# User privilege specification" for user modification, or "# Same thing without a password" for group modification.
4.) Set the "nopasswd" flag for each group and/or user that you want to allow sudo without a password.
4a.) In the example below, anyone in the "admin" group can use sudo without a password. Also, the user "user.name" will be allowed to use sudo without a password. Anyone in the "wheel" group will still have to specify a password in order to use sudo.
5.) Press the ctl
key and the c
key on the keyboard simultaneously (ctl+c)
6.) Type :wq
and press the enter
key to exit visudo
and save changes Note 1: In the above mentioned edit to the sudoers file, ONLY members of the admin group with administrator rights on the local machine will be able to use the sudo command without a password. This does not pose a security threat for unauthorized users being able to use the sudo command.
For example: In one user per computer cases, only the local admin and the Active Directory user will be able to use sudo without a password, as long as the AD user has administrator rights to the machine.
In order to give an individual Active Directory user local administrator rights to a computer please see:
KB-2684: How to make an individual AD user into a Local Admin on Mac OS X without using Group Policies. Note 2
: These groups can be configured with Centrify group policy using the Computer Settings> Centrify Settings> Common UNIX Settings policy. The context for the policy is the same as the sudoers file: %admin ALL=(ALL) NOPASSWD: ALL