Hello!

What ====

In a month from now, the sudo configuration on torproject.org machines will change. While right now your normal LDAP password can be used to authenticate with sudo, but it will then require you to use the dedicated sudo password.

When ====

For now, both the LDAP password and the new sudo password will work to authenticate to sudo. Starting in the third week of October (around October 14th), the LDAP password will no longer be accepted for sudo authentication.

Note that this was previously announced in March 2016, but never enforced:

https://lists.torproject.org/pipermail/tor-project/2016-March/000199.html

How ===

The LDAP password is the one you got sent in encrypted mail when your account was first created on db.torproject.org. You should have changed that on the [web interface][]. This password is the one that also allows you to log into the management interface there and change for instance your mail forwarding configuration or your sudo password.

[web interface]: https://db.torproject.org/login.html

To set the sudo password:

1. go to the user management website above 2. pick "Update my info" 3. set a new (strong) sudo password

If you want, you can set a password that works for all the hosts that are managed by torproject-admin, by using the "wildcard ("*"). Alternatively, or additionally, you can have per-host sudo passwords -- just select the appropriate host in the pull-down box.

Once set on the web interface, you will have to confirm the new settings by sending a signed challenge to the mail interface. Please ensure you don't introduce any additional line breaks.

Note that setting a sudo password will only enable you to use sudo to configured accounts on configured hosts. Consult the output of "sudo -l" if you don't know what you may do. (If you don't know, chances are you don't need to nor can use sudo.)

Why ===

We prefer to use two authentication factors to access the more powerful "sudo" command, this is a security measure. We want a different password for anything that elevates your privilege, in other words.

Who ===

This change is operated by the Tor Project sysadmins (TPA). If you have any questions or comments, feel free to respond to this message or followup in ticket #6367.