best way to setup sudo authentication on servers that dont use password?












0














With sudo, you can either set it to ask for a password or not ask for a password.



Historically, everything was password-protected, which is the model that I am used to. However, encryption seems to be favoring public/private key authentication more and more nowadays.



This is evident in the fact that when I spin up a server on GCP, AWS or DigitalOcean, I dont get a password, instead I get a key that I use to log in. Now, if I want to do sudo when I am logged in, it doesn't ask me for a password. This is obviously due to the fact that a password was never given to me, only a key was. And sudo doesnt ask for a password cause of the following rule in /etc/sudoers.d/90-cloud-init-users




ubuntu ALL=(ALL) NOPASSWD:ALL




This is fine for one user. But what happens if a server has 3-4 users, all of whom need sudo access, and all of whom are using keys to log in rather than password. You want to make sure that one user cant do



sudo su - <someone else's username>  
sudo <command>


Is the encouraged practice to not allow password authentication when connecting with sshd but to give all the users a password that is used for sudo authentication? Or to use pam_ssh_agent_auth to allow sudo to authenticate with another set of private/public keys that have a passphrase? Or is there something else that should be done.










share|improve this question







New contributor




modernNeo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

























    0














    With sudo, you can either set it to ask for a password or not ask for a password.



    Historically, everything was password-protected, which is the model that I am used to. However, encryption seems to be favoring public/private key authentication more and more nowadays.



    This is evident in the fact that when I spin up a server on GCP, AWS or DigitalOcean, I dont get a password, instead I get a key that I use to log in. Now, if I want to do sudo when I am logged in, it doesn't ask me for a password. This is obviously due to the fact that a password was never given to me, only a key was. And sudo doesnt ask for a password cause of the following rule in /etc/sudoers.d/90-cloud-init-users




    ubuntu ALL=(ALL) NOPASSWD:ALL




    This is fine for one user. But what happens if a server has 3-4 users, all of whom need sudo access, and all of whom are using keys to log in rather than password. You want to make sure that one user cant do



    sudo su - <someone else's username>  
    sudo <command>


    Is the encouraged practice to not allow password authentication when connecting with sshd but to give all the users a password that is used for sudo authentication? Or to use pam_ssh_agent_auth to allow sudo to authenticate with another set of private/public keys that have a passphrase? Or is there something else that should be done.










    share|improve this question







    New contributor




    modernNeo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
    Check out our Code of Conduct.























      0












      0








      0







      With sudo, you can either set it to ask for a password or not ask for a password.



      Historically, everything was password-protected, which is the model that I am used to. However, encryption seems to be favoring public/private key authentication more and more nowadays.



      This is evident in the fact that when I spin up a server on GCP, AWS or DigitalOcean, I dont get a password, instead I get a key that I use to log in. Now, if I want to do sudo when I am logged in, it doesn't ask me for a password. This is obviously due to the fact that a password was never given to me, only a key was. And sudo doesnt ask for a password cause of the following rule in /etc/sudoers.d/90-cloud-init-users




      ubuntu ALL=(ALL) NOPASSWD:ALL




      This is fine for one user. But what happens if a server has 3-4 users, all of whom need sudo access, and all of whom are using keys to log in rather than password. You want to make sure that one user cant do



      sudo su - <someone else's username>  
      sudo <command>


      Is the encouraged practice to not allow password authentication when connecting with sshd but to give all the users a password that is used for sudo authentication? Or to use pam_ssh_agent_auth to allow sudo to authenticate with another set of private/public keys that have a passphrase? Or is there something else that should be done.










      share|improve this question







      New contributor




      modernNeo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.











      With sudo, you can either set it to ask for a password or not ask for a password.



      Historically, everything was password-protected, which is the model that I am used to. However, encryption seems to be favoring public/private key authentication more and more nowadays.



      This is evident in the fact that when I spin up a server on GCP, AWS or DigitalOcean, I dont get a password, instead I get a key that I use to log in. Now, if I want to do sudo when I am logged in, it doesn't ask me for a password. This is obviously due to the fact that a password was never given to me, only a key was. And sudo doesnt ask for a password cause of the following rule in /etc/sudoers.d/90-cloud-init-users




      ubuntu ALL=(ALL) NOPASSWD:ALL




      This is fine for one user. But what happens if a server has 3-4 users, all of whom need sudo access, and all of whom are using keys to log in rather than password. You want to make sure that one user cant do



      sudo su - <someone else's username>  
      sudo <command>


      Is the encouraged practice to not allow password authentication when connecting with sshd but to give all the users a password that is used for sudo authentication? Or to use pam_ssh_agent_auth to allow sudo to authenticate with another set of private/public keys that have a passphrase? Or is there something else that should be done.







      sudo key-authentication






      share|improve this question







      New contributor




      modernNeo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.











      share|improve this question







      New contributor




      modernNeo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      share|improve this question




      share|improve this question






      New contributor




      modernNeo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      asked 18 mins ago









      modernNeo

      82




      82




      New contributor




      modernNeo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.





      New contributor





      modernNeo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.






      modernNeo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.



























          active

          oldest

          votes











          Your Answer








          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "106"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: false,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });






          modernNeo is a new contributor. Be nice, and check out our Code of Conduct.










          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f490863%2fbest-way-to-setup-sudo-authentication-on-servers-that-dont-use-password%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown






























          active

          oldest

          votes













          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes








          modernNeo is a new contributor. Be nice, and check out our Code of Conduct.










          draft saved

          draft discarded


















          modernNeo is a new contributor. Be nice, and check out our Code of Conduct.













          modernNeo is a new contributor. Be nice, and check out our Code of Conduct.












          modernNeo is a new contributor. Be nice, and check out our Code of Conduct.
















          Thanks for contributing an answer to Unix & Linux Stack Exchange!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.





          Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


          Please pay close attention to the following guidance:


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f490863%2fbest-way-to-setup-sudo-authentication-on-servers-that-dont-use-password%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          Accessing regular linux commands in Huawei's Dopra Linux

          Can't connect RFCOMM socket: Host is down

          Kernel panic - not syncing: Fatal Exception in Interrupt