Authenticating Ubuntu Sudo user with public keys.

I have a Ubuntu user that I just added to the sudoer's list, but is prompted for his for his public key password when he tries to 'sudo su'. This user's public key allows him to access this Ubuntu server without a password, so I am wondering how do I configure his sudo access to not prompt for his password?
Joe MurphAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

arnoldCommented:
Sudo su is a reduntant sudo -i or sudo -s sudo bash does it better.
Sudo su is similar to a person with a master key to a building going to a management  office where they get a key for office 203. Then ho to office 203 and use the key to open door.

Having said that. Back to your question.
Passphrase used to authenticate using a public key when connecting is not what the user is prompted for when executing sudo.
Look at /etc/sudoers using visudo, the user when executing sudo is prompted for the accounts password, not for the ssh key passphrase on the system from which the user connected.

User is logged into SystemA. User ssh user@systemB where public key auth is setup. On connection, the user is prompted for the passphrase for user@systemA key without which a connection will be denied.
Upon login, running sudo -i or -s or bash, based on sudoers and settings. You could set user not to require a password for use of sudo, but I would caution if you fo for this user, make sure to explicitly set what commands the user can run without prompting as well as do not allow the user to run any shell sh, bash, ksh, ssh, csh, tcsh, zsh and absolutely no efi tours, vi, emacs, ed,(editors include an option to run a shell command) in the same vein do not allow mail client apps as they use an editor to create a message thus allowing the user to launch an elevated shell.
0
serialbandCommented:
You need to change /etc/sudoers to add the following line for the username in question.  This is not recommended and defeats the security and the whole point of sudo.  You can change the ALL and restrict access to certain commands, users that you sudo to, and hosts.
username ALL=(ALL) NOPASSWD: ALL

Sudo su is a reduntant sudo -i or sudo -s sudo bash does it better.
It's taken many years for me to finally see someone else post this.   I still see people doing sudo su or sudo su -  That just tells me that people don't ever read the man pages.  It's probably been a decade since sudo had these options.

The 2 options do mean different things.
sudo -i is the same as sudo su -
sudo -s is the same as sudo su

Having said all that, ssh to a user and then doing sudo -i to become root is also redundant if you just want to give the user full root access.  Ubuntu never disabled root.  It's a fully functioning account.  They only disabled password access to root and you can enable that as well, by setting a password to root.  You can also just place the user's key into the root account.  Both of these are not recommended by the Ubuntu "security model", but the ssh key method is a little better because you can track the user's key used to log in.

If your need to track the user account that is connecting root and have using sudo to find out which user connected before they became root, then you should just change the sshd log level to verbose and it will then log which ssh key was used to connect to the account.

Edit /etc/ssh/sshd_config and add the following:
LogLevel VERBOSE

After restarting sshd, you will see the ssh key fingerprint in the logs when a user connects to an account.

The official man pages and documentations of many of these tools actually contain a lot information of features that most people don't use.

P.S.  If the user is using the same password as his public key passphrase, he's doing it wrong.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux

From novice to tech pro — start learning today.