Sudo on Fedora 15

Sudo allows users to run commands as root while logging the command and its arguments.

In short, sudo first authenticates a user using their own password, then checks /etc/sudoers to see what sudo permissions (if any) the user has, then executes and logs the command if the user is allowed.

This is the preferred way to run commands as root for a few reasons:

  1. You do not need to give out the root password to users.
  2. You can limit which commands a user can run as root.
  3. All sudo commands are logged.

To use sudo on Fedora 15, first make sure the package is installed:

bash$ rpm -q sudo
sudo-1.7.4p5-4.fc15.x86_64

If it is not installed, su to root and install the package.

bash$ su -
root# yum install sudo

Next, edit the sudo configuration file by using the visudo command. Visudo locks the /etc/sudoers file against simultaneous edits, provides sanity checks, and checks for configuration errors. Avoid directly editing the /etc/sudoers file.

root# visudo

You will see that there are a variety of options, but let’s look at this line which is enabled on Fedora 15 by default:

%wheel	ALL=(ALL)	ALL

This means that all users in the wheel group can run all commands as root on all systems that this sudoers file lives on. The sudoers file is designed so that you can have a single configuration live on various hosts and allow or disallow users by hostname.

Since this line is enabled in sudoers, quit visudo by exiting the editor and check what groups your username belongs to. In this example, my username is victor.

root# groups victor
victor : victor

In order to give the user full access to root using sudo, add the user to the wheel group.

root# usermod -a -G wheel victor
root# groups victor
victor : victor wheel

Next, logout of the root shell.

root# logout

Now, as your user, you can use sudo to run commands as root. The first time you run sudo, some warnings and advice will be printed to the screen.

bash$ sudo /usr/bin/test

Type in your password (not the root password), and you will successfully run /usr/bin/test as root. If the default configuration is kept, sudo will not prompt a user for their password until after 5 minutes from their last sudo command.

By default (on Fedora 15), sudo logs its usage into /var/log/secure by configuration of /etc/sudoers and /etc/rsyslog.conf. Normally, you need root permissions to read /var/log/secure, but now that you have sudo access, you can read the file. Read the sudo logs with something like this:

bash$ sudo grep sudo /var/log/secure

Finally, see /etc/sudoers and the SUDOERS(5) man page for syntax on how to configure access rights for users based on group, command and hostname.

bash$ less /etc/sudoers
bash$ man sudoers

Passwordless SSH

Passwordless SSH can be accomplished using SSH’s public key authentication. To configure passwordless SSH, follow the directions below. Warning: passwordless SSH will make your systems less secure. If you are comfortable with that, the directions below will walk you through server and client configurations. Then, I’ll show you how to debug SSH if you encounter problems.

SSHD Server Configuration

First, you must ensure that your SSHD server allows for passwordless authentication using public keys. If you do not have root access to the server, do not worry. By default, public key authentication over protocol 2 is enabled. Skip this step. If you have any problems, contact your System Administrator.

If you have root privileges, edit your system’s /etc/ssh/sshd_config and apply the following settings. I suggest you disable protocol 1 RSA key based authentication and leave all other settings alone for now. Visit the man page SSHD_CONFIG(5) for details.

# Disable protocol 1 RSA key based authentication
RSAAuthentication no
# Protocol 2 public key based authentication
PubkeyAuthentication yes
# Authorized public keys file
AuthorizedKeysFile .ssh/authorized_keys

If you make any changes, save them and restart your SSH server.

service sshd restart

SSH Client Configuration

Now that the server is configured, log into your client system and examine /etc/ssh/ssh_config. This is the SSH client configuration file and you do not need to edit it.

less /etc/ssh/ssh_config

By default, public key authentication over protocol 2 is enabled for clients. You only need to make sure that it is not disabled. If it is, create an ~/.ssh/config to override the /etc/ssh/ssh_config options.

cp -a /etc/ssh/ssh_config ~/.ssh/config

Then edit it and add this to the “Host *” block:

PubkeyAuthentication yes

Create Client Key

With the client in order, you need to create a public and private key pair. The following command will build a RSA key pair. Hit for all questions asked. This will create a RSA key pair in ~/.ssh/. The private key is called id_rsa and the public key is id_rsa.pub.

ssh-keygen -t rsa

Use Key for Authentication

Now that you have a public and private key pair, put the public key on the server you wish to log into without a password. You will need to put the public key inside the server’s /home/user/.ssh/authorized_keys file. This file can contain multiple keys, so you generally do not want to just copy over it. Note that the authorized_keys2 file was deprecated in OpenSSH 3.0 (2001).

cat ~/.ssh/id_rsa.pub | ssh user@server "cat - >> ~/.ssh/authorized_keys"

Alternatively, modern releases of SSH have a command to help you copy keys.

ssh-copy-id -i ~/.ssh/id_rsa.pub user@server

Test and Debug SSH

Now, test.

ssh username@server date

If you get prompted for a password, check the server’s system logs for clues. You can also enable debugging in /etc/ssh/sshd_config with the following directive.

LogLevel DEBUG

Other options are INFO, VERBOSE, DEBUG2 and DEBUG3. See the man page SSHD_CONFIG(5) for details. For the client, the exact same option can be placed inside a /etc/ssh/ssh_config’s Host block. See SSH_CONFIG(5) for client debugging details.

man 5 sshd_config
man 5 ssh_config