Yes.

Years ago I wrote a ’sudo’ equivalent in W32, but with a big twist. It was called “RunAuth”. It used the API “run as” mechanisms. It gave admin access based on an OTP (http://en.wikipedia.org/wiki/One_time_password). The OTP was NOT automatic. The person had to call the helpdesk to get a code. It was based on a shared secret and MD5. Secondly, the code provided  defined the exact process that could be executed by the RunAuth client.

Use Case:
Field Sales Person wants to install a new HP Printer. User does NOT have local admin. How to install a printer driver without shipping computer to IT?

Solution:
Start RunAuth, choose install printer driver, a challenge code is presented. Tell the IT person over the phone the code. They provide a response that immediately executes the install printer wizard as admin. The actual MD5 signature of the DLL or EXE is also validated before running to ensure no trojan or backdoor is created. Upon completion of task, the machine logs out the user or requires reboot.

Point:
The same can be accomplished in Linux.
Think of sudo with one time password access. Why is this important? Because that means admins don’t have single control over root access. It requires “dual” access. Someone else who is not an admin, has to consent to the changes or stated objective to provide the admin a one time sudo password. So if the automated provisioning cannot handle a task or an emergency occurs, there is still a regimented procedure to perform ad hoc tasks,but there is change control enforced at the OS.

I’d like to have opinions?

H