SOLVED! Question: sudoers file syntax and function
I need to have a sudoers file entry that allows any userid, coming from anywhere, to execute a single command as root, without requiring a password, with or without a command line parameter.
Here is what I have, but I am still be prompted for a password: ALL ALL=NOPASSWD: /usr/local/sbin/banssh I need to be able to execute "banssh" either as simply "banssh" or as "banssh 198.162.0.1" (not for that specific IP address every time, the actual ip address varies, this is just an example) Not that I think it matters, but "banssh" is a script I wrote, and have been using for many many years, that dynamically adds ip address to the hosts.allow file (using a syntax that bans the ip). If someone unsuccessfully tries to login three times, their ip address gets banned (via an entry like "ALL : 192.168.0.1 : DENY" in hosts.allow). This all works fine, except incoming ssh connections are asked for their password to run sudo. I don't remember this password request ever happening on other servers where I have installed banssh, but it is happening on this one older Ubuntu server I am working on now (I think this Ubuntu server is running Intrepid Ibex, but possibly it's Hardy Heron). Here is how banssh is called in my application: 1st, from /etc/hosts.allow like this: sshd : ALL : spawn (/usr/local/sbin/banssh %a)& 2nd, from /etc/ssh/sshrc like this: sudo /usr/local/sbin/banssh Why am I being prompted for a password to do the sudo? Thanks! |
Quote:
Code:
ALL=(ALL) NOPASSWD: /usr/local/sbin/banssh |
SOLVED!
Stupid me. It was an order-dependent thing in the sudoers file. The problem was that there were multiple matches in the sudoers file for the userid I was using, and sudo will always use the LAST match (not the MOST SPECIFIC match, but the LAST match - big difference there). And since I am in the "admin" group, the rule for %admin was overriding the specific rule for banssh. What I had was this: Code:
root ALL=(ALL) ALL Code:
root ALL=(ALL) ALL |
Thanks for your help TB0ne, I appreciate your reply!
|
Glad it's working, and thanks for following up!
|
All times are GMT -5. The time now is 10:13 PM. |