Best way to setup sudo authentication on servers that don't use a password?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP












4














With sudo, you can either set it to ask for a password or not ask for a password.



Historically, everything was password-protected, which is the model that I am used to. However, encryption seems to be favoring public/private key authentication more and more nowadays.



This is evident in the fact that when I spin up a server on GCP, AWS, or DigitalOcean, I don't get a password. Instead I get a key that I use to log in.



Now, if I want to do sudo when I am logged in, it doesn't ask me for a password. This is obviously due to the fact that a password was never given to me, only a key was. And sudo doesn't ask for a password because of the following rule in /etc/sudoers.d/90-cloud-init-users:




ubuntu ALL=(ALL) NOPASSWD:ALL




This is fine for one user. But what happens if a server has 3-4 users, all of whom need sudo access, and all of whom are using keys to log in rather than a password. You want to make sure that one user can't do



sudo su - <someone else's username>
sudo <command>


Is the encouraged practice to not allow password authentication when connecting with sshd, but to give all the users a password that is used for sudo authentication? Or to use pam_ssh_agent_auth to allow sudo to authenticate with another set of private/public keys that have a passphrase? Or is there something else that should be done?










share|improve this question




























    4














    With sudo, you can either set it to ask for a password or not ask for a password.



    Historically, everything was password-protected, which is the model that I am used to. However, encryption seems to be favoring public/private key authentication more and more nowadays.



    This is evident in the fact that when I spin up a server on GCP, AWS, or DigitalOcean, I don't get a password. Instead I get a key that I use to log in.



    Now, if I want to do sudo when I am logged in, it doesn't ask me for a password. This is obviously due to the fact that a password was never given to me, only a key was. And sudo doesn't ask for a password because of the following rule in /etc/sudoers.d/90-cloud-init-users:




    ubuntu ALL=(ALL) NOPASSWD:ALL




    This is fine for one user. But what happens if a server has 3-4 users, all of whom need sudo access, and all of whom are using keys to log in rather than a password. You want to make sure that one user can't do



    sudo su - <someone else's username>
    sudo <command>


    Is the encouraged practice to not allow password authentication when connecting with sshd, but to give all the users a password that is used for sudo authentication? Or to use pam_ssh_agent_auth to allow sudo to authenticate with another set of private/public keys that have a passphrase? Or is there something else that should be done?










    share|improve this question


























      4












      4








      4







      With sudo, you can either set it to ask for a password or not ask for a password.



      Historically, everything was password-protected, which is the model that I am used to. However, encryption seems to be favoring public/private key authentication more and more nowadays.



      This is evident in the fact that when I spin up a server on GCP, AWS, or DigitalOcean, I don't get a password. Instead I get a key that I use to log in.



      Now, if I want to do sudo when I am logged in, it doesn't ask me for a password. This is obviously due to the fact that a password was never given to me, only a key was. And sudo doesn't ask for a password because of the following rule in /etc/sudoers.d/90-cloud-init-users:




      ubuntu ALL=(ALL) NOPASSWD:ALL




      This is fine for one user. But what happens if a server has 3-4 users, all of whom need sudo access, and all of whom are using keys to log in rather than a password. You want to make sure that one user can't do



      sudo su - <someone else's username>
      sudo <command>


      Is the encouraged practice to not allow password authentication when connecting with sshd, but to give all the users a password that is used for sudo authentication? Or to use pam_ssh_agent_auth to allow sudo to authenticate with another set of private/public keys that have a passphrase? Or is there something else that should be done?










      share|improve this question















      With sudo, you can either set it to ask for a password or not ask for a password.



      Historically, everything was password-protected, which is the model that I am used to. However, encryption seems to be favoring public/private key authentication more and more nowadays.



      This is evident in the fact that when I spin up a server on GCP, AWS, or DigitalOcean, I don't get a password. Instead I get a key that I use to log in.



      Now, if I want to do sudo when I am logged in, it doesn't ask me for a password. This is obviously due to the fact that a password was never given to me, only a key was. And sudo doesn't ask for a password because of the following rule in /etc/sudoers.d/90-cloud-init-users:




      ubuntu ALL=(ALL) NOPASSWD:ALL




      This is fine for one user. But what happens if a server has 3-4 users, all of whom need sudo access, and all of whom are using keys to log in rather than a password. You want to make sure that one user can't do



      sudo su - <someone else's username>
      sudo <command>


      Is the encouraged practice to not allow password authentication when connecting with sshd, but to give all the users a password that is used for sudo authentication? Or to use pam_ssh_agent_auth to allow sudo to authenticate with another set of private/public keys that have a passphrase? Or is there something else that should be done?







      sudo key-authentication






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Dec 25 '18 at 21:12









      Peter Mortensen

      88358




      88358










      asked Dec 25 '18 at 12:07









      modernNeo

      283




      283




















          1 Answer
          1






          active

          oldest

          votes


















          3














          Password authentication for access to sudo doesn't restrict what commands can be run.



          eg



          myuser ALL=(ALL) NOPASSWD: ALL
          youruser ALL=(ALL) ALL


          lets both users run exactly the same commands, just you need to enter your password, and I don't.



          Instead the idea is to only grant users the privileged commands they need, rather than "ALL" commands. So if user1 only needs to reboot the server you might give them



          user1 ALL=(root) NOPASSWD: /usr/sbin/reboot


          Now all they can do is reboot the server.



          This follows the principle of least privilege; only give people the commands they need.



          Further reading: https://www.sweharris.org/post/2018-08-26-minimal-sudo/






          share|improve this answer
















          • 1




            I never said that Password authentication for access to sudo restricts what commands can be run, I said that Password authentication for access to sudo restricts who can run the sudo command when logged in as each user.
            – modernNeo
            Dec 25 '18 at 20:20










          • and I want to give my users the ability to run any command they want via sudo, I just want to also make sure that there is a reliable way to authenticate them when they run sudo.
            – modernNeo
            Dec 25 '18 at 21:20











          • @modernNeo Password authentication would not prevent a user from running sudo su - youruser.
            – user2233709
            Dec 25 '18 at 21:40










          • @user2233709 I am not trying to prevent them from running sudo as themselves but rather running sudo as another user.
            – modernNeo
            Dec 25 '18 at 22:09










          • @user2233709 To put it another way, I want to know the best way to prevent someone from being able to run "sudo <command>" after switching to another user when sudo isnt using password authentication.
            – modernNeo
            Dec 25 '18 at 22:10










          Your Answer








          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "106"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: false,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          imageUploader:
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          ,
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );













          draft saved

          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f490863%2fbest-way-to-setup-sudo-authentication-on-servers-that-dont-use-a-password%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          3














          Password authentication for access to sudo doesn't restrict what commands can be run.



          eg



          myuser ALL=(ALL) NOPASSWD: ALL
          youruser ALL=(ALL) ALL


          lets both users run exactly the same commands, just you need to enter your password, and I don't.



          Instead the idea is to only grant users the privileged commands they need, rather than "ALL" commands. So if user1 only needs to reboot the server you might give them



          user1 ALL=(root) NOPASSWD: /usr/sbin/reboot


          Now all they can do is reboot the server.



          This follows the principle of least privilege; only give people the commands they need.



          Further reading: https://www.sweharris.org/post/2018-08-26-minimal-sudo/






          share|improve this answer
















          • 1




            I never said that Password authentication for access to sudo restricts what commands can be run, I said that Password authentication for access to sudo restricts who can run the sudo command when logged in as each user.
            – modernNeo
            Dec 25 '18 at 20:20










          • and I want to give my users the ability to run any command they want via sudo, I just want to also make sure that there is a reliable way to authenticate them when they run sudo.
            – modernNeo
            Dec 25 '18 at 21:20











          • @modernNeo Password authentication would not prevent a user from running sudo su - youruser.
            – user2233709
            Dec 25 '18 at 21:40










          • @user2233709 I am not trying to prevent them from running sudo as themselves but rather running sudo as another user.
            – modernNeo
            Dec 25 '18 at 22:09










          • @user2233709 To put it another way, I want to know the best way to prevent someone from being able to run "sudo <command>" after switching to another user when sudo isnt using password authentication.
            – modernNeo
            Dec 25 '18 at 22:10















          3














          Password authentication for access to sudo doesn't restrict what commands can be run.



          eg



          myuser ALL=(ALL) NOPASSWD: ALL
          youruser ALL=(ALL) ALL


          lets both users run exactly the same commands, just you need to enter your password, and I don't.



          Instead the idea is to only grant users the privileged commands they need, rather than "ALL" commands. So if user1 only needs to reboot the server you might give them



          user1 ALL=(root) NOPASSWD: /usr/sbin/reboot


          Now all they can do is reboot the server.



          This follows the principle of least privilege; only give people the commands they need.



          Further reading: https://www.sweharris.org/post/2018-08-26-minimal-sudo/






          share|improve this answer
















          • 1




            I never said that Password authentication for access to sudo restricts what commands can be run, I said that Password authentication for access to sudo restricts who can run the sudo command when logged in as each user.
            – modernNeo
            Dec 25 '18 at 20:20










          • and I want to give my users the ability to run any command they want via sudo, I just want to also make sure that there is a reliable way to authenticate them when they run sudo.
            – modernNeo
            Dec 25 '18 at 21:20











          • @modernNeo Password authentication would not prevent a user from running sudo su - youruser.
            – user2233709
            Dec 25 '18 at 21:40










          • @user2233709 I am not trying to prevent them from running sudo as themselves but rather running sudo as another user.
            – modernNeo
            Dec 25 '18 at 22:09










          • @user2233709 To put it another way, I want to know the best way to prevent someone from being able to run "sudo <command>" after switching to another user when sudo isnt using password authentication.
            – modernNeo
            Dec 25 '18 at 22:10













          3












          3








          3






          Password authentication for access to sudo doesn't restrict what commands can be run.



          eg



          myuser ALL=(ALL) NOPASSWD: ALL
          youruser ALL=(ALL) ALL


          lets both users run exactly the same commands, just you need to enter your password, and I don't.



          Instead the idea is to only grant users the privileged commands they need, rather than "ALL" commands. So if user1 only needs to reboot the server you might give them



          user1 ALL=(root) NOPASSWD: /usr/sbin/reboot


          Now all they can do is reboot the server.



          This follows the principle of least privilege; only give people the commands they need.



          Further reading: https://www.sweharris.org/post/2018-08-26-minimal-sudo/






          share|improve this answer












          Password authentication for access to sudo doesn't restrict what commands can be run.



          eg



          myuser ALL=(ALL) NOPASSWD: ALL
          youruser ALL=(ALL) ALL


          lets both users run exactly the same commands, just you need to enter your password, and I don't.



          Instead the idea is to only grant users the privileged commands they need, rather than "ALL" commands. So if user1 only needs to reboot the server you might give them



          user1 ALL=(root) NOPASSWD: /usr/sbin/reboot


          Now all they can do is reboot the server.



          This follows the principle of least privilege; only give people the commands they need.



          Further reading: https://www.sweharris.org/post/2018-08-26-minimal-sudo/







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Dec 25 '18 at 15:14









          Stephen Harris

          25.2k24477




          25.2k24477







          • 1




            I never said that Password authentication for access to sudo restricts what commands can be run, I said that Password authentication for access to sudo restricts who can run the sudo command when logged in as each user.
            – modernNeo
            Dec 25 '18 at 20:20










          • and I want to give my users the ability to run any command they want via sudo, I just want to also make sure that there is a reliable way to authenticate them when they run sudo.
            – modernNeo
            Dec 25 '18 at 21:20











          • @modernNeo Password authentication would not prevent a user from running sudo su - youruser.
            – user2233709
            Dec 25 '18 at 21:40










          • @user2233709 I am not trying to prevent them from running sudo as themselves but rather running sudo as another user.
            – modernNeo
            Dec 25 '18 at 22:09










          • @user2233709 To put it another way, I want to know the best way to prevent someone from being able to run "sudo <command>" after switching to another user when sudo isnt using password authentication.
            – modernNeo
            Dec 25 '18 at 22:10












          • 1




            I never said that Password authentication for access to sudo restricts what commands can be run, I said that Password authentication for access to sudo restricts who can run the sudo command when logged in as each user.
            – modernNeo
            Dec 25 '18 at 20:20










          • and I want to give my users the ability to run any command they want via sudo, I just want to also make sure that there is a reliable way to authenticate them when they run sudo.
            – modernNeo
            Dec 25 '18 at 21:20











          • @modernNeo Password authentication would not prevent a user from running sudo su - youruser.
            – user2233709
            Dec 25 '18 at 21:40










          • @user2233709 I am not trying to prevent them from running sudo as themselves but rather running sudo as another user.
            – modernNeo
            Dec 25 '18 at 22:09










          • @user2233709 To put it another way, I want to know the best way to prevent someone from being able to run "sudo <command>" after switching to another user when sudo isnt using password authentication.
            – modernNeo
            Dec 25 '18 at 22:10







          1




          1




          I never said that Password authentication for access to sudo restricts what commands can be run, I said that Password authentication for access to sudo restricts who can run the sudo command when logged in as each user.
          – modernNeo
          Dec 25 '18 at 20:20




          I never said that Password authentication for access to sudo restricts what commands can be run, I said that Password authentication for access to sudo restricts who can run the sudo command when logged in as each user.
          – modernNeo
          Dec 25 '18 at 20:20












          and I want to give my users the ability to run any command they want via sudo, I just want to also make sure that there is a reliable way to authenticate them when they run sudo.
          – modernNeo
          Dec 25 '18 at 21:20





          and I want to give my users the ability to run any command they want via sudo, I just want to also make sure that there is a reliable way to authenticate them when they run sudo.
          – modernNeo
          Dec 25 '18 at 21:20













          @modernNeo Password authentication would not prevent a user from running sudo su - youruser.
          – user2233709
          Dec 25 '18 at 21:40




          @modernNeo Password authentication would not prevent a user from running sudo su - youruser.
          – user2233709
          Dec 25 '18 at 21:40












          @user2233709 I am not trying to prevent them from running sudo as themselves but rather running sudo as another user.
          – modernNeo
          Dec 25 '18 at 22:09




          @user2233709 I am not trying to prevent them from running sudo as themselves but rather running sudo as another user.
          – modernNeo
          Dec 25 '18 at 22:09












          @user2233709 To put it another way, I want to know the best way to prevent someone from being able to run "sudo <command>" after switching to another user when sudo isnt using password authentication.
          – modernNeo
          Dec 25 '18 at 22:10




          @user2233709 To put it another way, I want to know the best way to prevent someone from being able to run "sudo <command>" after switching to another user when sudo isnt using password authentication.
          – modernNeo
          Dec 25 '18 at 22:10

















          draft saved

          draft discarded
















































          Thanks for contributing an answer to Unix & Linux Stack Exchange!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid


          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.

          To learn more, see our tips on writing great answers.





          Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


          Please pay close attention to the following guidance:


          • Please be sure to answer the question. Provide details and share your research!

          But avoid


          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.

          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f490863%2fbest-way-to-setup-sudo-authentication-on-servers-that-dont-use-a-password%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown






          Popular posts from this blog

          How to check contact read email or not when send email to Individual?

          Displaying single band from multi-band raster using QGIS

          How many registers does an x86_64 CPU actually have?