LinuxQuestions.org - SOLVED! Question: sudoers file syntax and function

- Linux - Software (https://www.linuxquestions.org/questions/linux-software-2/)

- - SOLVED! Question: sudoers file syntax and function (https://www.linuxquestions.org/questions/linux-software-2/solved-question-sudoers-file-syntax-and-function-4175441690/)

SOLVED! Question: sudoers file syntax and function

I need to have a sudoers file entry that allows any userid, coming from anywhere, to execute a single command as root, without requiring a password, with or without a command line parameter.

Here is what I have, but I am still be prompted for a password:

ALL ALL=NOPASSWD: /usr/local/sbin/banssh

I need to be able to execute "banssh" either as simply "banssh" or as "banssh 198.162.0.1" (not for that specific IP address every time, the actual ip address varies, this is just an example)

Not that I think it matters, but "banssh" is a script I wrote, and have been using for many many years, that dynamically adds ip address to the hosts.allow file (using a syntax that bans the ip). If someone unsuccessfully tries to login three times, their ip address gets banned (via an entry like "ALL : 192.168.0.1 : DENY" in hosts.allow). This all works fine, except incoming ssh connections are asked for their password to run sudo. I don't remember this password request ever happening on other servers where I have installed banssh, but it is happening on this one older Ubuntu server I am working on now (I think this Ubuntu server is running Intrepid Ibex, but possibly it's Hardy Heron).

Here is how banssh is called in my application:

1st, from /etc/hosts.allow like this:
sshd : ALL : spawn (/usr/local/sbin/banssh %a)&

2nd, from /etc/ssh/sshrc like this:
sudo /usr/local/sbin/banssh

Why am I being prompted for a password to do the sudo?

Thanks!

Quote:

Originally Posted by haertig (Post 4850506)

I need to have a sudoers file entry that allows any userid, coming from anywhere, to execute a single command as root, without requiring a password, with or without a command line parameter. Here is what I have, but I am still be prompted for a password:

ALL ALL=NOPASSWD: /usr/local/sbin/banssh

I need to be able to execute "banssh" either as simply "banssh" or as "banssh 198.162.0.1" (not for that specific IP address every time, the actual ip address varies, this is just an example)

Not that I think it matters, but "banssh" is a script I wrote, and have been using for many many years, that dynamically adds ip address to the hosts.allow file (using a syntax that bans the ip). If someone unsuccessfully tries to login three times, their ip address gets banned (via an entry like "ALL : 192.168.0.1 : DENY" in hosts.allow). This all works fine, except incoming ssh connections are asked for their password to run sudo. I don't remember this password request ever happening on other servers where I have installed banssh, but it is happening on this one older Ubuntu server I am working on now (I think this Ubuntu server is running Intrepid Ibex, but possibly it's Hardy Heron).

Here is how banssh is called in my application:

1st, from /etc/hosts.allow like this:
sshd : ALL : spawn (/usr/local/sbin/banssh %a)&

2nd, from /etc/ssh/sshrc like this:
sudo /usr/local/sbin/banssh

Why am I being prompted for a password to do the sudo?

Thanks!

If that's the exact line you're using, I don't think the syntax is right. Try:

Code:

ALL=(ALL) NOPASSWD: /usr/local/sbin/banssh

SOLVED!

Stupid me. It was an order-dependent thing in the sudoers file. The problem was that there were multiple matches in the sudoers file for the userid I was using, and sudo will always use the LAST match (not the MOST SPECIFIC match, but the LAST match - big difference there). And since I am in the "admin" group, the rule for %admin was overriding the specific rule for banssh.

What I had was this:

Code:

root        ALL=(ALL) ALL

ALL        ALL=NOPASSWD: /usr/local/sbin/banssh

%admin  ALL=(ALL) ALL

What I needed was this:

Code:

root        ALL=(ALL) ALL

%admin  ALL=(ALL) ALL

ALL        ALL=NOPASSWD: /usr/local/sbin/banssh

I did not see that %admin line in the sudoers file initially because it was at the bottom of the file below a bunch of comment lines (I removed those comment lines for clarity in the cut-n-paste above).

Thanks for your help TB0ne, I appreciate your reply!

Glad it's working, and thanks for following up!