12/1/2023 0 Comments Centos passwordless sudoIf you still have a problems you can look at the verbose output of the SSH command (e.g. There are a number of discussions online about what the âcorrectâ permissions for the home directory should be ( here for example) but the default values will work for SSH: Iâve also seen the problem that the home directory permissions are not set correctly (which will also cause the passwordless SSH to fail). Sudo chmod 600 /home/USER/.ssh/authorized_keys Your âsshâ folder should have read, write and execute permission for the owner only (700) and the âauthorized_keysâ file should have read and write permissions for the owner only (600): If you still cannot connect using your SSH key there is very likely a permissions problem. To resolve this you must again edit /etc/ssh/sshd_config and set:Ä«y default it is set to âyesâ (this is an interesting difference between CentOS and Ubuntu).Äonât forget to restart the SSH service after making changes otherwise they wonât be updated: Which is probably not what you want if you are trying to turn off password authentication. If there is a problem with the key then this setup will still go ahead and ask for a password when trying to connect via SSH. Setting âPasswordAuthentication noâ in /etc/ssh/sshd_config.Whilst the wiki provides most of the information required to set up passwordless SSH on CentOS, namely: The sed command disables the #includedir directive that would allow any files in subdirectories to override these inline updates.The CentOS wiki page misses out a crucial step in setting up passwordless SSH.And add the following line: aaronkilik ALL (ALL) NOPASSWD: ALL. The sed command does inline updates to the /etc/sudoers file to allow foo and root users passwordless access to the sudo command. To allow a user ( aaronkilik in the example below) to run all commands using sudo without a password, open the sudoers file: sudo visudo.The passwords for both foo and root are deleted.The home directory is set to /home/foo.The user foo is added to the both the foo and sudo group.Sed -i /etc/sudoers -re 's/^#includedir.*/# Removed the #include directive! #"/g' & \Ä®cho "Customized the sudoers file for passwordless access!" & \Ä®cho "foo ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers & \Ä®cho "root ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers & \Ä®cho "foo user:" su foo -c 'whoami & id' & \Ä®cho "root user:" su root -c 'whoami & id' Sed -i /etc/sudoers -re 's/^root.*/root ALL=(ALL:ALL) NOPASSWD: ALL/g' & \ Sed -i /etc/sudoers -re 's/^%sudo.*/%sudo ALL=(ALL:ALL) NOPASSWD: ALL/g' & \ The sudo command should display all of the IP addresses on the server without prompting you for a password. To verify that it worked, enter the following commands: su - sudo ip a.Where username is your passwordless sudo user name. Useradd -U foo -m -s /bin/bash -p foo -G sudo & passwd -d foo & passwd -d root & \ Below that line, add the following command: username ALL (ALL) NOPASSWD: ALL. This is how I've implemented the non-root, passwordless user in an ephemeral Docker Image for use in a CICD pipeline with the base image of ubuntu:18.04: RUN \ It looks like this: #includedir /etc/sudoers.d This is a sneaky little directive, as it appears to be a commented line upon first glance. Note: As mentioned, you may need to use adm as your admin group name, depending on which version of Ubuntu is being used.Īs I was researching this, I realized that there's a line in the /etc/sudoers file that is not a comment, but a directive that makes any file or folder under the directory /etc/sudoers/* override the contents of /etc/sudoers. You can also add the default AWS ubuntu user to the admin group via this command: sudo usermod ubuntu -g admin (on older versions of ubuntu, you may need to): sudo service sudo restartÄ®dit: You may have to add the admin group as I don't think it exists by default. Then for every user that needs sudo access WITH a password: sudo adduser sudoĪnd for every user that needs sudo access WITH NO password: sudo adduser admin # See sudoers(5) for more information on "#include" directives: # Members of the admin group may gain root privileges # Allow members of group sudo to execute any command # See the man page for details on how to write a sudoers file.Äefaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" # Please consider adding local content in /etc/sudoers.d/ instead of You should now have this: # This file MUST be edited with the 'visudo' command as root. To this line: # Members of the admin group may gain root privilegesĪnd move it under this line: # Allow members of group sudo to execute any command Telling ansible ask for the password has the security advantage that only people who know what is the password can execute code but it can be a bit inconvenient on the long run. I found that the most straight forward thing to do, in order to easily replicate this behavior across multiple servers, was the following: sudo visudoĬhange this line: # Members of the admin group may gain root privileges
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |