Authenticating Ubuntu Sudo user with public keys.

Joe Murph
Joe Murph used Ask the Experts™
I have a Ubuntu user that I just added to the sudoer's list, but is prompted for his for his public key password when he tries to 'sudo su'. This user's public key allows him to access this Ubuntu server without a password, so I am wondering how do I configure his sudo access to not prompt for his password?
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2017

Sudo su is a reduntant sudo -i or sudo -s sudo bash does it better.
Sudo su is similar to a person with a master key to a building going to a management  office where they get a key for office 203. Then ho to office 203 and use the key to open door.

Having said that. Back to your question.
Passphrase used to authenticate using a public key when connecting is not what the user is prompted for when executing sudo.
Look at /etc/sudoers using visudo, the user when executing sudo is prompted for the accounts password, not for the ssh key passphrase on the system from which the user connected.

User is logged into SystemA. User ssh user@systemB where public key auth is setup. On connection, the user is prompted for the passphrase for user@systemA key without which a connection will be denied.
Upon login, running sudo -i or -s or bash, based on sudoers and settings. You could set user not to require a password for use of sudo, but I would caution if you fo for this user, make sure to explicitly set what commands the user can run without prompting as well as do not allow the user to run any shell sh, bash, ksh, ssh, csh, tcsh, zsh and absolutely no efi tours, vi, emacs, ed,(editors include an option to run a shell command) in the same vein do not allow mail client apps as they use an editor to create a message thus allowing the user to launch an elevated shell.
You need to change /etc/sudoers to add the following line for the username in question.  This is not recommended and defeats the security and the whole point of sudo.  You can change the ALL and restrict access to certain commands, users that you sudo to, and hosts.

Sudo su is a reduntant sudo -i or sudo -s sudo bash does it better.
It's taken many years for me to finally see someone else post this.   I still see people doing sudo su or sudo su -  That just tells me that people don't ever read the man pages.  It's probably been a decade since sudo had these options.

The 2 options do mean different things.
sudo -i is the same as sudo su -
sudo -s is the same as sudo su

Having said all that, ssh to a user and then doing sudo -i to become root is also redundant if you just want to give the user full root access.  Ubuntu never disabled root.  It's a fully functioning account.  They only disabled password access to root and you can enable that as well, by setting a password to root.  You can also just place the user's key into the root account.  Both of these are not recommended by the Ubuntu "security model", but the ssh key method is a little better because you can track the user's key used to log in.

If your need to track the user account that is connecting root and have using sudo to find out which user connected before they became root, then you should just change the sshd log level to verbose and it will then log which ssh key was used to connect to the account.

Edit /etc/ssh/sshd_config and add the following:

After restarting sshd, you will see the ssh key fingerprint in the logs when a user connects to an account.

The official man pages and documentations of many of these tools actually contain a lot information of features that most people don't use.

P.S.  If the user is using the same password as his public key passphrase, he's doing it wrong.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial