Best way to setup sudo authentication on servers that don't use a password?
With sudo, you can either set it to ask for a password or not ask for a password.
Historically, everything was password-protected, which is the model that I am used to. However, encryption seems to be favoring public/private key authentication more and more nowadays.
This is evident in the fact that when I spin up a server on GCP, AWS, or DigitalOcean, I don't get a password. Instead I get a key that I use to log in.
Now, if I want to do sudo when I am logged in, it doesn't ask me for a password. This is obviously due to the fact that a password was never given to me, only a key was. And sudo doesn't ask for a password because of the following rule in /etc/sudoers.d/90-cloud-init-users:
ubuntu ALL=(ALL) NOPASSWD:ALL
This is fine for one user. But what happens if a server has 3-4 users, all of whom need sudo access, and all of whom are using keys to log in rather than a password. You want to make sure that one user can't do
sudo su - <someone else's username>
sudo <command>
Is the encouraged practice to not allow password authentication when connecting with sshd, but to give all the users a password that is used for sudo authentication? Or to use pam_ssh_agent_auth to allow sudo to authenticate with another set of private/public keys that have a passphrase? Or is there something else that should be done?
sudo key-authentication
edited 10 hours ago
Peter Mortensen
87158
asked 19 hours ago
modernNeo
283
New contributor
modernNeo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |Â
With sudo, you can either set it to ask for a password or not ask for a password.
Historically, everything was password-protected, which is the model that I am used to. However, encryption seems to be favoring public/private key authentication more and more nowadays.
This is evident in the fact that when I spin up a server on GCP, AWS, or DigitalOcean, I don't get a password. Instead I get a key that I use to log in.
Now, if I want to do sudo when I am logged in, it doesn't ask me for a password. This is obviously due to the fact that a password was never given to me, only a key was. And sudo doesn't ask for a password because of the following rule in /etc/sudoers.d/90-cloud-init-users:
ubuntu ALL=(ALL) NOPASSWD:ALL
This is fine for one user. But what happens if a server has 3-4 users, all of whom need sudo access, and all of whom are using keys to log in rather than a password. You want to make sure that one user can't do
sudo su - <someone else's username>
sudo <command>
Is the encouraged practice to not allow password authentication when connecting with sshd, but to give all the users a password that is used for sudo authentication? Or to use pam_ssh_agent_auth to allow sudo to authenticate with another set of private/public keys that have a passphrase? Or is there something else that should be done?
sudo key-authentication
edited 10 hours ago
Peter Mortensen
87158
asked 19 hours ago
modernNeo
283
New contributor
modernNeo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |Â
With sudo, you can either set it to ask for a password or not ask for a password.
Historically, everything was password-protected, which is the model that I am used to. However, encryption seems to be favoring public/private key authentication more and more nowadays.
This is evident in the fact that when I spin up a server on GCP, AWS, or DigitalOcean, I don't get a password. Instead I get a key that I use to log in.
Now, if I want to do sudo when I am logged in, it doesn't ask me for a password. This is obviously due to the fact that a password was never given to me, only a key was. And sudo doesn't ask for a password because of the following rule in /etc/sudoers.d/90-cloud-init-users:
ubuntu ALL=(ALL) NOPASSWD:ALL
This is fine for one user. But what happens if a server has 3-4 users, all of whom need sudo access, and all of whom are using keys to log in rather than a password. You want to make sure that one user can't do
sudo su - <someone else's username>
sudo <command>
Is the encouraged practice to not allow password authentication when connecting with sshd, but to give all the users a password that is used for sudo authentication? Or to use pam_ssh_agent_auth to allow sudo to authenticate with another set of private/public keys that have a passphrase? Or is there something else that should be done?
sudo key-authentication
edited 10 hours ago
Peter Mortensen
87158
asked 19 hours ago
modernNeo
283
New contributor
modernNeo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
With sudo, you can either set it to ask for a password or not ask for a password.
Historically, everything was password-protected, which is the model that I am used to. However, encryption seems to be favoring public/private key authentication more and more nowadays.
This is evident in the fact that when I spin up a server on GCP, AWS, or DigitalOcean, I don't get a password. Instead I get a key that I use to log in.
Now, if I want to do sudo when I am logged in, it doesn't ask me for a password. This is obviously due to the fact that a password was never given to me, only a key was. And sudo doesn't ask for a password because of the following rule in /etc/sudoers.d/90-cloud-init-users:
ubuntu ALL=(ALL) NOPASSWD:ALL
This is fine for one user. But what happens if a server has 3-4 users, all of whom need sudo access, and all of whom are using keys to log in rather than a password. You want to make sure that one user can't do
sudo su - <someone else's username>
sudo <command>
Is the encouraged practice to not allow password authentication when connecting with sshd, but to give all the users a password that is used for sudo authentication? Or to use pam_ssh_agent_auth to allow sudo to authenticate with another set of private/public keys that have a passphrase? Or is there something else that should be done?
sudo key-authentication
sudo key-authentication
edited 10 hours ago
Peter Mortensen
87158
asked 19 hours ago
modernNeo
283
New contributor
modernNeo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 10 hours ago
Peter Mortensen
87158
asked 19 hours ago
modernNeo
283
New contributor
modernNeo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 10 hours ago
Peter Mortensen
87158
edited 10 hours ago
Peter Mortensen
87158
edited 10 hours ago
Peter Mortensen
87158
87158
asked 19 hours ago
modernNeo
283
New contributor
modernNeo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 19 hours ago
modernNeo
283
asked 19 hours ago
modernNeo
283
283
New contributor
modernNeo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
modernNeo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
modernNeo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |Â
add a comment |Â
1 Answer
1
active
oldest
votes
Password authentication for access to sudo doesn't restrict what commands can be run.
eg
myuser ALL=(ALL) NOPASSWD: ALL
youruser ALL=(ALL) ALL
lets both users run exactly the same commands, just you need to enter your password, and I don't.
Instead the idea is to only grant users the privileged commands they need, rather than "ALL" commands. So if user1 only needs to reboot the server you might give them
user1 ALL=(root) NOPASSWD: /usr/sbin/reboot
Now all they can do is reboot the server.
This follows the principle of least privilege; only give people the commands they need.
Further reading: https://www.sweharris.org/post/2018-08-26-minimal-sudo/
answered 16 hours ago
Stephen Harris
24.6k24477
1
I never said that Password authentication for access to sudo restricts what commands can be run, I said that Password authentication for access to sudo restricts who can run the sudo command when logged in as each user.
– modernNeo
11 hours ago
and I want to give my users the ability to run any command they want via sudo, I just want to also make sure that there is a reliable way to authenticate them when they run sudo.
– modernNeo
10 hours ago
@modernNeo Password authentication would not prevent a user from running sudo su - youruser.
– user2233709
9 hours ago
@user2233709 I am not trying to prevent them from running sudo as themselves but rather running sudo as another user.
– modernNeo
9 hours ago
@user2233709 To put it another way, I want to know the best way to prevent someone from being able to run "sudo <command>" after switching to another user when sudo isnt using password authentication.
– modernNeo
9 hours ago
 |Â
show 6 more comments
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Password authentication for access to sudo doesn't restrict what commands can be run.
eg
myuser ALL=(ALL) NOPASSWD: ALL
youruser ALL=(ALL) ALL
lets both users run exactly the same commands, just you need to enter your password, and I don't.
Instead the idea is to only grant users the privileged commands they need, rather than "ALL" commands. So if user1 only needs to reboot the server you might give them
user1 ALL=(root) NOPASSWD: /usr/sbin/reboot
Now all they can do is reboot the server.
This follows the principle of least privilege; only give people the commands they need.
Further reading: https://www.sweharris.org/post/2018-08-26-minimal-sudo/
answered 16 hours ago
Stephen Harris
24.6k24477
1
I never said that Password authentication for access to sudo restricts what commands can be run, I said that Password authentication for access to sudo restricts who can run the sudo command when logged in as each user.
– modernNeo
11 hours ago
and I want to give my users the ability to run any command they want via sudo, I just want to also make sure that there is a reliable way to authenticate them when they run sudo.
– modernNeo
10 hours ago
@modernNeo Password authentication would not prevent a user from running sudo su - youruser.
– user2233709
9 hours ago
@user2233709 I am not trying to prevent them from running sudo as themselves but rather running sudo as another user.
– modernNeo
9 hours ago
@user2233709 To put it another way, I want to know the best way to prevent someone from being able to run "sudo <command>" after switching to another user when sudo isnt using password authentication.
– modernNeo
9 hours ago
 |Â
show 6 more comments
Password authentication for access to sudo doesn't restrict what commands can be run.
eg
myuser ALL=(ALL) NOPASSWD: ALL
youruser ALL=(ALL) ALL
lets both users run exactly the same commands, just you need to enter your password, and I don't.
Instead the idea is to only grant users the privileged commands they need, rather than "ALL" commands. So if user1 only needs to reboot the server you might give them
user1 ALL=(root) NOPASSWD: /usr/sbin/reboot
Now all they can do is reboot the server.
This follows the principle of least privilege; only give people the commands they need.
Further reading: https://www.sweharris.org/post/2018-08-26-minimal-sudo/
answered 16 hours ago
Stephen Harris
24.6k24477
1
I never said that Password authentication for access to sudo restricts what commands can be run, I said that Password authentication for access to sudo restricts who can run the sudo command when logged in as each user.
– modernNeo
11 hours ago
and I want to give my users the ability to run any command they want via sudo, I just want to also make sure that there is a reliable way to authenticate them when they run sudo.
– modernNeo
10 hours ago
@modernNeo Password authentication would not prevent a user from running sudo su - youruser.
– user2233709
9 hours ago
@user2233709 I am not trying to prevent them from running sudo as themselves but rather running sudo as another user.
– modernNeo
9 hours ago
@user2233709 To put it another way, I want to know the best way to prevent someone from being able to run "sudo <command>" after switching to another user when sudo isnt using password authentication.
– modernNeo
9 hours ago
 |Â
show 6 more comments
Password authentication for access to sudo doesn't restrict what commands can be run.
eg
myuser ALL=(ALL) NOPASSWD: ALL
youruser ALL=(ALL) ALL
lets both users run exactly the same commands, just you need to enter your password, and I don't.
Instead the idea is to only grant users the privileged commands they need, rather than "ALL" commands. So if user1 only needs to reboot the server you might give them
user1 ALL=(root) NOPASSWD: /usr/sbin/reboot
Now all they can do is reboot the server.
This follows the principle of least privilege; only give people the commands they need.
Further reading: https://www.sweharris.org/post/2018-08-26-minimal-sudo/
answered 16 hours ago
Stephen Harris
24.6k24477
Password authentication for access to sudo doesn't restrict what commands can be run.
eg
myuser ALL=(ALL) NOPASSWD: ALL
youruser ALL=(ALL) ALL
lets both users run exactly the same commands, just you need to enter your password, and I don't.
Instead the idea is to only grant users the privileged commands they need, rather than "ALL" commands. So if user1 only needs to reboot the server you might give them
user1 ALL=(root) NOPASSWD: /usr/sbin/reboot
Now all they can do is reboot the server.
This follows the principle of least privilege; only give people the commands they need.
Further reading: https://www.sweharris.org/post/2018-08-26-minimal-sudo/
answered 16 hours ago
Stephen Harris
24.6k24477
answered 16 hours ago
Stephen Harris
24.6k24477
answered 16 hours ago
Stephen Harris
24.6k24477
answered 16 hours ago
Stephen Harris
24.6k24477
24.6k24477
1
I never said that Password authentication for access to sudo restricts what commands can be run, I said that Password authentication for access to sudo restricts who can run the sudo command when logged in as each user.
– modernNeo
11 hours ago
and I want to give my users the ability to run any command they want via sudo, I just want to also make sure that there is a reliable way to authenticate them when they run sudo.
– modernNeo
10 hours ago
@modernNeo Password authentication would not prevent a user from running sudo su - youruser.
– user2233709
9 hours ago
@user2233709 I am not trying to prevent them from running sudo as themselves but rather running sudo as another user.
– modernNeo
9 hours ago
@user2233709 To put it another way, I want to know the best way to prevent someone from being able to run "sudo <command>" after switching to another user when sudo isnt using password authentication.
– modernNeo
9 hours ago
 |Â
show 6 more comments
1
I never said that Password authentication for access to sudo restricts what commands can be run, I said that Password authentication for access to sudo restricts who can run the sudo command when logged in as each user.
– modernNeo
11 hours ago
and I want to give my users the ability to run any command they want via sudo, I just want to also make sure that there is a reliable way to authenticate them when they run sudo.
– modernNeo
10 hours ago
@modernNeo Password authentication would not prevent a user from running sudo su - youruser.
– user2233709
9 hours ago
@user2233709 I am not trying to prevent them from running sudo as themselves but rather running sudo as another user.
– modernNeo
9 hours ago
@user2233709 To put it another way, I want to know the best way to prevent someone from being able to run "sudo <command>" after switching to another user when sudo isnt using password authentication.
– modernNeo
9 hours ago
1
1
I never said that Password authentication for access to sudo restricts what commands can be run, I said that Password authentication for access to sudo restricts who can run the sudo command when logged in as each user.
– modernNeo
11 hours ago
I never said that Password authentication for access to sudo restricts what commands can be run, I said that Password authentication for access to sudo restricts who can run the sudo command when logged in as each user.
– modernNeo
11 hours ago
and I want to give my users the ability to run any command they want via sudo, I just want to also make sure that there is a reliable way to authenticate them when they run sudo.
– modernNeo
10 hours ago
and I want to give my users the ability to run any command they want via sudo, I just want to also make sure that there is a reliable way to authenticate them when they run sudo.
– modernNeo
10 hours ago
@modernNeo Password authentication would not prevent a user from running sudo su - youruser.
– user2233709
9 hours ago
@modernNeo Password authentication would not prevent a user from running sudo su - youruser.
– user2233709
9 hours ago
@user2233709 I am not trying to prevent them from running sudo as themselves but rather running sudo as another user.
– modernNeo
9 hours ago
@user2233709 I am not trying to prevent them from running sudo as themselves but rather running sudo as another user.
– modernNeo
9 hours ago
@user2233709 To put it another way, I want to know the best way to prevent someone from being able to run "sudo <command>" after switching to another user when sudo isnt using password authentication.
– modernNeo
9 hours ago
@user2233709 To put it another way, I want to know the best way to prevent someone from being able to run "sudo <command>" after switching to another user when sudo isnt using password authentication.
– modernNeo
9 hours ago
 |Â
show 6 more comments
modernNeo is a new contributor. Be nice, and check out our Code of Conduct.
modernNeo is a new contributor. Be nice, and check out our Code of Conduct.
modernNeo is a new contributor. Be nice, and check out our Code of Conduct.
modernNeo is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f490863%2fbest-way-to-setup-sudo-authentication-on-servers-that-dont-use-a-password%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
