When having multiple simultanious SSH connections, only the first two can `sudo`
Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
When having multiple simultanious SSH connections, only the first two can `sudo`
Hi all,
When there are multiple simultaneous SSH connections open, only the first two can sudo. In the third connection, one gets asked for a password, altough the user doesn't have a password set.
First connection:
Code:
manuel@manuelthinkpad:~$ ssh manuel-nas-wan
Enter passphrase for key '/home/manuel/.ssh/manuel-thinkpad-arbeit.ed25519':
Linux manuel-nas 4.9.0-4-amd64 #1 SMP Debian 4.9.51-1 (2017-09-28) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Dec 5 13:59:52 2017 from xxx.xxx.xxx.xxx
user@manuel-nas:~$ sudo pwd
/home/user
Second connection:
(Equal to first connection)
Third connection:
Code:
manuel@manuelthinkpad:~$ ssh manuel-nas-wan
Enter passphrase for key '/home/manuel/.ssh/manuel-thinkpad-arbeit.ed25519':
Linux manuel-nas 4.9.0-4-amd64 #1 SMP Debian 4.9.51-1 (2017-09-28) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Dec 5 14:27:00 2017 from xxx.xxx.xxx.xxx
user@manuel-nas:~$ sudo pwd
[sudo] password for user:
Question
Can anyone tell me the reason, and how to deactivate this behavior? I want to be able to sudo from all of my connections, not just the first two.
Additional information
The server is a headless live-system, that is, it boots from removable media and then runs entirely from RAM. (/ is a tmpfs.) The image file which I'm flashing onto the removable media is created by a selfwritten shell script which is setting up the whole system using debootstrap and chroot commands.
The server is running "OpenSSH_7.4p1 Debian-10+deb9u1, OpenSSL 1.0.2l 25 May 2017".
WHICH password does it ask if you don't have a password set?
also, i didn't even know that's possible, and i think it's a really bad idea security-wise.
do you need to regularly perform sudo commands remotely, from a script?
maybe a better solution woul dbe to add that command to /etc/sudoers so that you can execute it without password. https://wiki.archlinux.org/index.php...xample_entries
Thanks for these hints, I took a quick look into these manpages and was surprised to learn that there is quite more behind this simple command than I expected. Unfortunately I didn't yet find time to chew through them completely.
Quote:
Originally Posted by ondoho
WHICH password does it ask if you don't have a password set?
also, i didn't even know that's possible, and i think it's a really bad idea security-wise.
do you need to regularly perform sudo commands remotely, from a script?
maybe a better solution woul dbe to add that command to /etc/sudoers so that you can execute it without password. https://wiki.archlinux.org/index.php...xample_entries
There is no security implication involved here. Access protection to WAN is achieved by using key-protected SSH. Access protection within LAN not necessary in my use case.
I have enabled sudo debugging by creating a file `/etc/sudo.conf` with following content:
Code:
Debug sudo /var/log/sudo_debug all@warn
After running sudo and provoking a "good" case and a "bad" case, I analyzed this file. This is were they start to differ:
Good case, i. e. sudo completes successfully:
Code:
Dec 12 20:54:21 sudo[6860] <- policy_open @ /build/sudo-oI7LKn/sudo-1.8.19p1/src/sudo.c:1292 := 1
Dec 12 20:54:21 sudo[6860] -> policy_check @ /build/sudo-oI7LKn/sudo-1.8.19p1/src/sudo.c:1330
Dec 12 20:54:21 sudo[6860] <- policy_check @ /build/sudo-oI7LKn/sudo-1.8.19p1/src/sudo.c:1340 := 1
Dec 12 20:54:21 sudo[6860] policy plugin returns 1
Bad case, i. e. sudo asks for a non-existent password:
Code:
Dec 12 20:54:43 sudo[6863] <- policy_open @ /build/sudo-oI7LKn/sudo-1.8.19p1/src/sudo.c:1292 := 1
Dec 12 20:54:43 sudo[6863] -> policy_check @ /build/sudo-oI7LKn/sudo-1.8.19p1/src/sudo.c:1330
Dec 12 20:54:43 sudo[6863] -> tgetpass @ /build/sudo-oI7LKn/sudo-1.8.19p1/src/tgetpass.c:93
Dec 12 20:54:43 sudo[6863] -> tty_present @ /build/sudo-oI7LKn/sudo-1.8.19p1/src/tgetpass.c:360
Dec 12 20:54:43 sudo[6863] <- tty_present @ /build/sudo-oI7LKn/sudo-1.8.19p1/src/tgetpass.c:361 := true
Dec 12 20:54:43 sudo[6863] -> sudo_term_noecho_v1 @ /build/sudo-oI7LKn/sudo-1.8.19p1/lib/util/term.c:130
Dec 12 20:54:43 sudo[6863] <- sudo_term_noecho_v1 @ /build/sudo-oI7LKn/sudo-1.8.19p1/lib/util/term.c:141 := true
Dec 12 20:54:43 sudo[6863] -> getln @ /build/sudo-oI7LKn/sudo-1.8.19p1/src/tgetpass.c:303
Dec 12 20:57:13 sudo[6863] <- getln @ /build/sudo-oI7LKn/sudo-1.8.19p1/src/tgetpass.c:346 := (null)
Dec 12 20:57:13 sudo[6863] -> sudo_term_restore_v1 @ /build/sudo-oI7LKn/sudo-1.8.19p1/lib/util/term.c:112
Dec 12 20:57:13 sudo[6863] <- sudo_term_restore_v1 @ /build/sudo-oI7LKn/sudo-1.8.19p1/lib/util/term.c:120 := true
Dec 12 20:57:13 sudo[6863] <- tgetpass @ /build/sudo-oI7LKn/sudo-1.8.19p1/src/tgetpass.c:231 := (null)
Dec 12 20:57:13 sudo[6863] <- policy_check @ /build/sudo-oI7LKn/sudo-1.8.19p1/src/sudo.c:1340 := 0
Dec 12 20:57:13 sudo[6863] policy plugin returns 0
This is the source code of policy_check(), located at `sudo.c` at around line 1330:
Code:
static int
policy_check(struct plugin_container *plugin, int argc, char * const argv[],
char *env_add[], char **command_info[], char **argv_out[],
char **user_env_out[])
{
int ret;
debug_decl(policy_check, SUDO_DEBUG_PCOMM)
if (plugin->u.policy->check_policy == NULL) {
sudo_fatalx(U_("policy plugin %s is missing the `check_policy' method"),
plugin->name);
}
sudo_debug_set_active_instance(plugin->debug_instance);
ret = plugin->u.policy->check_policy(argc, argv, env_add, command_info,
argv_out, user_env_out);
sudo_debug_set_active_instance(sudo_debug_instance);
debug_return_int(ret);
}
I think my attempt of finding the root cause is too low-level. I'm afraid to become acquainted with the code base requires more time from me than I can spare right now.
something must have gone wrong in the very beginning of all this, that's my guess.
instead of setting a blank password (and i still question whether that is even possible) you should use /etc/sudoers to allow certain commands to run with elevated privileges, but without password check.
instead of setting a blank password (and i still question whether that is even possible) you should use /etc/sudoers to allow certain commands to run with elevated privileges, but without password check.
Again, blank passwords are a standard feature.
What makes you think my use case allows to restrict the set of sudo-able commands in any way?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.