How do you configure sudo to allow specific SSH commands or aliases? This is a common question for SSH users who want to run certain commands as root or another user without entering a password every time. In this article, you will learn how to use the sudoers file and the alias command to achieve this.
Sudo is a command that lets you execute other commands as a different user, usually the superuser or root. This is useful for performing administrative tasks, such as installing software, managing services, or editing configuration files. However, sudo also requires you to enter your password for security reasons, which can be inconvenient or slow if you need to run multiple commands.
Sudo is not only a command but rather a system utility that provides temporary administrative privileges to users mostly system administrators to perform administrative duties without having to add permissions to their individual roles.
The sudoers file is the configuration file that defines who can use sudo and what commands they can run. To edit this file, you need to use the visudo command, which opens the file in a text editor and checks for syntax errors. You can also use the -f option to specify a different file, such as /etc/sudoers.d/custom, which is recommended for custom rules.
You can also edit sudoers file in other editors like vim, nano but visudo is preferred as it checks the file for formatting, syntax or other errors before saving the file.
To allow specific commands or aliases, you need to add a line to the sudoers file that follows this format:
user host = (target) NOPASSWD: command
This means that the user can run the command as the target user on the host without entering a password. For example:
alice localhost = (root) NOPASSWD: /bin/systemctl restart apache2
This allows alice to restart the apache2 service as root on localhost without a password. You can also use aliases to group multiple commands or users. For example:
Cmnd_Alias WEB = /bin/systemctl restart apache2, /bin/systemctl reload nginx
User_Alias WEBMASTERS = alice, bob
WEBMASTERS localhost = (root) NOPASSWD: WEB
This allows alice and bob to run both commands as root on localhost without a password.
To test your configuration, you can use the -l option of sudo to list the commands you can run as a different user. For example:
sudo -l -U alice
This shows what commands alice can run as any user. You can also use the -u option to specify a user. For example:
sudo -l -U alice -u root
This shows what commands alice can run as root. If everything works as expected, you can use sudo to run the commands or aliases you have allowed.
If you encounter any errors or problems with your configuration, there are a few tips to troubleshoot them. Ensure you use visudo to edit the sudoers file and check for syntax errors. Additionally, remember to use the full path of the commands or aliases you want to allow. It is important to separate multiple commands or aliases with commas and no spaces before or after them. Furthermore, make sure you use the correct user and host names, and match them with the ones you use to log in with SSH. Finally, reload or restart the sudo service if you make any changes to the sudoers file or its include files.
To reload the sudo configuration, you can use the following command in a terminal or command prompt: sudo -v This command updates the user's authentication timestamp, effectively reloading the sudo configuration and applying any changes to the sudoers file or other configuration files.