this post was submitted on 16 Aug 2024
3 points (80.0% liked)

Debian operating system

2637 readers
1 users here now

Debian is a free operating system (OS) for your computer. An operating system is the set of basic programs and utilities that make your computer run. Debian provides more than a pure OS: it comes with over 59000 packages, precompiled software bundled up in a nice format for easy installation on your machine.

founded 4 years ago
MODERATORS
[email protected]
3
sudo without password when connected via ssh (lemmy.world)
submitted 3 weeks ago by [email protected] to c/[email protected]
8 comments fedilink hide all child comments
 

Hello everyone, I am running Debian on my home server and I also do have a raspberrpi with raspberry pi os.

When I do connect to my raspberry via ssh (with keys, not password) I do not need to enter a password when I do run a command with sudo.

Someone here can guie me on how to replicate that behaviour on Debian 12 stable?

top 8 comments
sorted by: hot top controversial new old
[–] [email protected] 6 points 3 weeks ago (1 children)

In Debian, you will want to modify your /etc/sudoers file to have the NOPASSWD directive.

So where you find something like this in that file:

%sudo ALL=(ALL:ALL) ALL

Make it like this:

%sudo ALL=(ALL:ALL) NOPASSWD:ALL

In this example, powers are given to the sudo %group, yours might just say pi or something else the user fits into.

Also, please note that while this is convenient, it does mean anyone with access to your shell has a quick escalation to root privileges. Some program you run has a shell escape vulnerability and gets a shell without a password, this means they also get root without one too. Unlikely to happen, sure, but I believe one should make informed decisions.

[–] [email protected] 3 points 3 weeks ago (1 children)

Thank you very much!

And thanks for pointing out the security risk. Makes me wonder why this works out of the box on my raspberry. Maybe because I did not set up root user?

[–] [email protected] 3 points 3 weeks ago* (last edited 3 weeks ago) (1 children)

Raspbian is sometimes a compromise between security and usability, because it is designed to go into the hands of new users. It also used to ship with a default “pi/rasberry” login hardcoded and IIRC permitted root password login over ssh. Things experience users change or turn off, but needs to start friendly for the rest, you know?

By doing this, they can take a step in the right direction by separating the root and login user, without becoming annoying asking for a password frequently as a newbie copies and pastes tutorial commands all week.

And as I said it’s unlikely, even very unlikely, but just not impossible. Everything comes with a risk, I just believe it’s up to you, not me, what risks mean in your environment. Might be you’d like to have the convenience on the home dev server, but rather have as much security as possible on a public facing one.

Or maybe you’d like to get really dialed in and only allow specific commands to be run without a password, so you can be quick and convenient about rebooting but lock down the rest. Up to you, really, that’s the power of Linux.

[–] [email protected] 1 points 3 weeks ago

Oh wow thank you very much! That is so cool there is an option to allow only specific commands :) I will surely dive deeper into this

[–] [email protected] 1 points 3 weeks ago

This is for gentoo but I couldn't find a guide for Debian. https://wiki.gentoo.org/wiki/Pam_ssh_agent_auth

When I was a yelp we used this and it was awesome. This is the puppet module we used to install it on Ubuntu, so it might be a good reference for Debian. https://github.com/coxley/puppet-libpam-ssh

[–] [email protected] 1 points 3 weeks ago (1 children)

Are you sure you're not logging in as root? Try sshing and run whoami.

[–] [email protected] 1 points 3 weeks ago (1 children)

I did not set up the user root, I gave the normal user superuser-permission during set up

[–] [email protected] 3 points 3 weeks ago* (last edited 3 weeks ago)

Since you mention setup instead of any manual install screwery, I’d say root(uid 0) is still very real, you just didn’t setup any login for it. Every time you sudo (substitute-user-do), you(probably uid 1000) are running that command as root instead of you. In fact, just sudo -i and you are now “logged in” as root.

Edit: Missed the context. Should still be useful info but you probably are not accidentally remoting into an account you never setup the login for.