best way to setup sudo authentication on servers that dont use password?












3














With sudo, you can either set it to ask for a password or not ask for a password.



Historically, everything was password-protected, which is the model that I am used to. However, encryption seems to be favoring public/private key authentication more and more nowadays.



This is evident in the fact that when I spin up a server on GCP, AWS or DigitalOcean, I dont get a password, instead I get a key that I use to log in. Now, if I want to do sudo when I am logged in, it doesn't ask me for a password. This is obviously due to the fact that a password was never given to me, only a key was. And sudo doesnt ask for a password cause of the following rule in /etc/sudoers.d/90-cloud-init-users




ubuntu ALL=(ALL) NOPASSWD:ALL




This is fine for one user. But what happens if a server has 3-4 users, all of whom need sudo access, and all of whom are using keys to log in rather than password. You want to make sure that one user cant do



sudo su - <someone else's username>  
sudo <command>


Is the encouraged practice to not allow password authentication when connecting with sshd but to give all the users a password that is used for sudo authentication? Or to use pam_ssh_agent_auth to allow sudo to authenticate with another set of private/public keys that have a passphrase? Or is there something else that should be done.










share|improve this question







New contributor




modernNeo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

























    3














    With sudo, you can either set it to ask for a password or not ask for a password.



    Historically, everything was password-protected, which is the model that I am used to. However, encryption seems to be favoring public/private key authentication more and more nowadays.



    This is evident in the fact that when I spin up a server on GCP, AWS or DigitalOcean, I dont get a password, instead I get a key that I use to log in. Now, if I want to do sudo when I am logged in, it doesn't ask me for a password. This is obviously due to the fact that a password was never given to me, only a key was. And sudo doesnt ask for a password cause of the following rule in /etc/sudoers.d/90-cloud-init-users




    ubuntu ALL=(ALL) NOPASSWD:ALL




    This is fine for one user. But what happens if a server has 3-4 users, all of whom need sudo access, and all of whom are using keys to log in rather than password. You want to make sure that one user cant do



    sudo su - <someone else's username>  
    sudo <command>


    Is the encouraged practice to not allow password authentication when connecting with sshd but to give all the users a password that is used for sudo authentication? Or to use pam_ssh_agent_auth to allow sudo to authenticate with another set of private/public keys that have a passphrase? Or is there something else that should be done.










    share|improve this question







    New contributor




    modernNeo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
    Check out our Code of Conduct.























      3












      3








      3







      With sudo, you can either set it to ask for a password or not ask for a password.



      Historically, everything was password-protected, which is the model that I am used to. However, encryption seems to be favoring public/private key authentication more and more nowadays.



      This is evident in the fact that when I spin up a server on GCP, AWS or DigitalOcean, I dont get a password, instead I get a key that I use to log in. Now, if I want to do sudo when I am logged in, it doesn't ask me for a password. This is obviously due to the fact that a password was never given to me, only a key was. And sudo doesnt ask for a password cause of the following rule in /etc/sudoers.d/90-cloud-init-users




      ubuntu ALL=(ALL) NOPASSWD:ALL




      This is fine for one user. But what happens if a server has 3-4 users, all of whom need sudo access, and all of whom are using keys to log in rather than password. You want to make sure that one user cant do



      sudo su - <someone else's username>  
      sudo <command>


      Is the encouraged practice to not allow password authentication when connecting with sshd but to give all the users a password that is used for sudo authentication? Or to use pam_ssh_agent_auth to allow sudo to authenticate with another set of private/public keys that have a passphrase? Or is there something else that should be done.










      share|improve this question







      New contributor




      modernNeo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.











      With sudo, you can either set it to ask for a password or not ask for a password.



      Historically, everything was password-protected, which is the model that I am used to. However, encryption seems to be favoring public/private key authentication more and more nowadays.



      This is evident in the fact that when I spin up a server on GCP, AWS or DigitalOcean, I dont get a password, instead I get a key that I use to log in. Now, if I want to do sudo when I am logged in, it doesn't ask me for a password. This is obviously due to the fact that a password was never given to me, only a key was. And sudo doesnt ask for a password cause of the following rule in /etc/sudoers.d/90-cloud-init-users




      ubuntu ALL=(ALL) NOPASSWD:ALL




      This is fine for one user. But what happens if a server has 3-4 users, all of whom need sudo access, and all of whom are using keys to log in rather than password. You want to make sure that one user cant do



      sudo su - <someone else's username>  
      sudo <command>


      Is the encouraged practice to not allow password authentication when connecting with sshd but to give all the users a password that is used for sudo authentication? Or to use pam_ssh_agent_auth to allow sudo to authenticate with another set of private/public keys that have a passphrase? Or is there something else that should be done.







      sudo key-authentication






      share|improve this question







      New contributor




      modernNeo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.











      share|improve this question







      New contributor




      modernNeo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      share|improve this question




      share|improve this question






      New contributor




      modernNeo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      asked 3 hours ago









      modernNeo

      232




      232




      New contributor




      modernNeo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.





      New contributor





      modernNeo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.






      modernNeo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.






















          1 Answer
          1






          active

          oldest

          votes


















          3














          Password authentication for access to sudo doesn't restrict what commands can be run.



          eg



          myuser ALL=(ALL) NOPASSWD: ALL
          youruser ALL=(ALL) ALL


          lets both users run exactly the same commands, just you need to enter your password, and I don't.



          Instead the idea is to only grant users the privileged commands they need, rather than "ALL" commands. So if user1 only needs to reboot the server you might give them



          user1 ALL=(root) NOPASSWD: /usr/sbin/reboot


          Now all they can do is reboot the server.



          This follows the principle of least privilege; only give people the commands they need.



          Further reading: https://www.sweharris.org/post/2018-08-26-minimal-sudo/






          share|improve this answer





















            Your Answer








            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "106"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: false,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: null,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });






            modernNeo is a new contributor. Be nice, and check out our Code of Conduct.










            draft saved

            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f490863%2fbest-way-to-setup-sudo-authentication-on-servers-that-dont-use-password%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            3














            Password authentication for access to sudo doesn't restrict what commands can be run.



            eg



            myuser ALL=(ALL) NOPASSWD: ALL
            youruser ALL=(ALL) ALL


            lets both users run exactly the same commands, just you need to enter your password, and I don't.



            Instead the idea is to only grant users the privileged commands they need, rather than "ALL" commands. So if user1 only needs to reboot the server you might give them



            user1 ALL=(root) NOPASSWD: /usr/sbin/reboot


            Now all they can do is reboot the server.



            This follows the principle of least privilege; only give people the commands they need.



            Further reading: https://www.sweharris.org/post/2018-08-26-minimal-sudo/






            share|improve this answer


























              3














              Password authentication for access to sudo doesn't restrict what commands can be run.



              eg



              myuser ALL=(ALL) NOPASSWD: ALL
              youruser ALL=(ALL) ALL


              lets both users run exactly the same commands, just you need to enter your password, and I don't.



              Instead the idea is to only grant users the privileged commands they need, rather than "ALL" commands. So if user1 only needs to reboot the server you might give them



              user1 ALL=(root) NOPASSWD: /usr/sbin/reboot


              Now all they can do is reboot the server.



              This follows the principle of least privilege; only give people the commands they need.



              Further reading: https://www.sweharris.org/post/2018-08-26-minimal-sudo/






              share|improve this answer
























                3












                3








                3






                Password authentication for access to sudo doesn't restrict what commands can be run.



                eg



                myuser ALL=(ALL) NOPASSWD: ALL
                youruser ALL=(ALL) ALL


                lets both users run exactly the same commands, just you need to enter your password, and I don't.



                Instead the idea is to only grant users the privileged commands they need, rather than "ALL" commands. So if user1 only needs to reboot the server you might give them



                user1 ALL=(root) NOPASSWD: /usr/sbin/reboot


                Now all they can do is reboot the server.



                This follows the principle of least privilege; only give people the commands they need.



                Further reading: https://www.sweharris.org/post/2018-08-26-minimal-sudo/






                share|improve this answer












                Password authentication for access to sudo doesn't restrict what commands can be run.



                eg



                myuser ALL=(ALL) NOPASSWD: ALL
                youruser ALL=(ALL) ALL


                lets both users run exactly the same commands, just you need to enter your password, and I don't.



                Instead the idea is to only grant users the privileged commands they need, rather than "ALL" commands. So if user1 only needs to reboot the server you might give them



                user1 ALL=(root) NOPASSWD: /usr/sbin/reboot


                Now all they can do is reboot the server.



                This follows the principle of least privilege; only give people the commands they need.



                Further reading: https://www.sweharris.org/post/2018-08-26-minimal-sudo/







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered 51 mins ago









                Stephen Harris

                24.6k24477




                24.6k24477






















                    modernNeo is a new contributor. Be nice, and check out our Code of Conduct.










                    draft saved

                    draft discarded


















                    modernNeo is a new contributor. Be nice, and check out our Code of Conduct.













                    modernNeo is a new contributor. Be nice, and check out our Code of Conduct.












                    modernNeo is a new contributor. Be nice, and check out our Code of Conduct.
















                    Thanks for contributing an answer to Unix & Linux Stack Exchange!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.





                    Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


                    Please pay close attention to the following guidance:


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f490863%2fbest-way-to-setup-sudo-authentication-on-servers-that-dont-use-password%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    Popular posts from this blog

                    404 Error Contact Form 7 ajax form submitting

                    How to know if a Active Directory user can login interactively

                    Refactoring coordinates for Minecraft Pi buildings written in Python