best way to setup sudo authentication on servers that dont use password?
With sudo, you can either set it to ask for a password or not ask for a password.
Historically, everything was password-protected, which is the model that I am used to. However, encryption seems to be favoring public/private key authentication more and more nowadays.
This is evident in the fact that when I spin up a server on GCP, AWS or DigitalOcean, I dont get a password, instead I get a key that I use to log in. Now, if I want to do sudo
when I am logged in, it doesn't ask me for a password. This is obviously due to the fact that a password was never given to me, only a key was. And sudo doesnt ask for a password cause of the following rule in /etc/sudoers.d/90-cloud-init-users
ubuntu ALL=(ALL) NOPASSWD:ALL
This is fine for one user. But what happens if a server has 3-4 users, all of whom need sudo access, and all of whom are using keys to log in rather than password. You want to make sure that one user cant do
sudo su - <someone else's username>
sudo <command>
Is the encouraged practice to not allow password authentication when connecting with sshd but to give all the users a password that is used for sudo
authentication? Or to use pam_ssh_agent_auth to allow sudo to authenticate with another set of private/public keys that have a passphrase? Or is there something else that should be done.
sudo key-authentication
New contributor
add a comment |
With sudo, you can either set it to ask for a password or not ask for a password.
Historically, everything was password-protected, which is the model that I am used to. However, encryption seems to be favoring public/private key authentication more and more nowadays.
This is evident in the fact that when I spin up a server on GCP, AWS or DigitalOcean, I dont get a password, instead I get a key that I use to log in. Now, if I want to do sudo
when I am logged in, it doesn't ask me for a password. This is obviously due to the fact that a password was never given to me, only a key was. And sudo doesnt ask for a password cause of the following rule in /etc/sudoers.d/90-cloud-init-users
ubuntu ALL=(ALL) NOPASSWD:ALL
This is fine for one user. But what happens if a server has 3-4 users, all of whom need sudo access, and all of whom are using keys to log in rather than password. You want to make sure that one user cant do
sudo su - <someone else's username>
sudo <command>
Is the encouraged practice to not allow password authentication when connecting with sshd but to give all the users a password that is used for sudo
authentication? Or to use pam_ssh_agent_auth to allow sudo to authenticate with another set of private/public keys that have a passphrase? Or is there something else that should be done.
sudo key-authentication
New contributor
add a comment |
With sudo, you can either set it to ask for a password or not ask for a password.
Historically, everything was password-protected, which is the model that I am used to. However, encryption seems to be favoring public/private key authentication more and more nowadays.
This is evident in the fact that when I spin up a server on GCP, AWS or DigitalOcean, I dont get a password, instead I get a key that I use to log in. Now, if I want to do sudo
when I am logged in, it doesn't ask me for a password. This is obviously due to the fact that a password was never given to me, only a key was. And sudo doesnt ask for a password cause of the following rule in /etc/sudoers.d/90-cloud-init-users
ubuntu ALL=(ALL) NOPASSWD:ALL
This is fine for one user. But what happens if a server has 3-4 users, all of whom need sudo access, and all of whom are using keys to log in rather than password. You want to make sure that one user cant do
sudo su - <someone else's username>
sudo <command>
Is the encouraged practice to not allow password authentication when connecting with sshd but to give all the users a password that is used for sudo
authentication? Or to use pam_ssh_agent_auth to allow sudo to authenticate with another set of private/public keys that have a passphrase? Or is there something else that should be done.
sudo key-authentication
New contributor
With sudo, you can either set it to ask for a password or not ask for a password.
Historically, everything was password-protected, which is the model that I am used to. However, encryption seems to be favoring public/private key authentication more and more nowadays.
This is evident in the fact that when I spin up a server on GCP, AWS or DigitalOcean, I dont get a password, instead I get a key that I use to log in. Now, if I want to do sudo
when I am logged in, it doesn't ask me for a password. This is obviously due to the fact that a password was never given to me, only a key was. And sudo doesnt ask for a password cause of the following rule in /etc/sudoers.d/90-cloud-init-users
ubuntu ALL=(ALL) NOPASSWD:ALL
This is fine for one user. But what happens if a server has 3-4 users, all of whom need sudo access, and all of whom are using keys to log in rather than password. You want to make sure that one user cant do
sudo su - <someone else's username>
sudo <command>
Is the encouraged practice to not allow password authentication when connecting with sshd but to give all the users a password that is used for sudo
authentication? Or to use pam_ssh_agent_auth to allow sudo to authenticate with another set of private/public keys that have a passphrase? Or is there something else that should be done.
sudo key-authentication
sudo key-authentication
New contributor
New contributor
New contributor
asked 18 mins ago
modernNeo
82
82
New contributor
New contributor
add a comment |
add a comment |
active
oldest
votes
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
modernNeo is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f490863%2fbest-way-to-setup-sudo-authentication-on-servers-that-dont-use-password%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
modernNeo is a new contributor. Be nice, and check out our Code of Conduct.
modernNeo is a new contributor. Be nice, and check out our Code of Conduct.
modernNeo is a new contributor. Be nice, and check out our Code of Conduct.
modernNeo is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f490863%2fbest-way-to-setup-sudo-authentication-on-servers-that-dont-use-password%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown