[SOLVED] Visudo problem

U

uroh

New Member
Jul 12, 2023
7
0
1
Hi,
I have some privilege problem with normal user and shutting down proxmox remotely with ssh.
I write the command from a remote PC

Code: 
ssh -i ./ssh_keys/id_rsa_homeassistant -o StrictHostKeyChecking=no daniele@192.168.2.39 sudo /usr/sbin/shutdown -r now

getting the following error.
Code: 
sudo: a terminal is required to read the password; either use the -S option to read from standard input or configure an askpass helper
sudo: a password is required

ok, then i connect to proxmox ve remotely:

Code: 
ssh -i ./ssh_keys/id_rsa_homeassistant -o StrictHostKeyChecking=no daniele@192.168.2.39

everything seems to work fine.

Code: 
Linux pve1 6.2.16-8-pve #1 SMP PREEMPT_DYNAMIC PMX 6.2.16-8 (2023-08-02T12:17Z) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Aug 19 09:56:21 2023 from 192.168.2.51
daniele@pve1:~$

At this point, I type the reboot command:

Code: 
sudo /usr/sbin/shutdown -r now

getting the message:

Code: 
[sudo] password for daniele:

Why? Ok, let's see the visudo configuration file

Code: 
sudo visudo

Code: 
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults        env_reset
Defaults        mail_badpass
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

# This fixes CVE-2005-4890 and possibly breaks some versions of kdesu
# (#1011624, https://bugs.kde.org/show_bug.cgi?id=452532)
Defaults        use_pty

# This preserves proxy settings from user environments of root
# equivalent users (group sudo)
#Defaults:%sudo env_keep += "http_proxy https_proxy ftp_proxy all_proxy no_proxy"

# This allows running arbitrary commands, but so does ALL, and it means
# different sudoers have their choice of editor respected.
#Defaults:%sudo env_keep += "EDITOR"

# Completely harmless preservation of a user preference.
#Defaults:%sudo env_keep += "GREP_COLOR"

# While you shouldn't normally run git as root, you need to with etckeeper
#Defaults:%sudo env_keep += "GIT_AUTHOR_* GIT_COMMITTER_*"

# Per-user preferences; root won't have sensible values for them.
#Defaults:%sudo env_keep += "EMAIL DEBEMAIL DEBFULLNAME"

# "sudo scp" or "sudo rsync" should be able to use your SSH agent.
#Defaults:%sudo env_keep += "SSH_AGENT_PID SSH_AUTH_SOCK"

# Ditto for GPG agent
#Defaults:%sudo env_keep += "GPG_AGENT_INFO"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL:ALL) ALL
daniele ALL = NOPASSWD: /usr/sbin/shutdown

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL
%admin  ALL = NOPASSWD: /sbin/shutdown
# See sudoers(5) for more information on "@include" directives:

@includedir /etc/sudoers.d

It all seems correct to me. The user has no password privilege to execute the shutdown command.
Closed without any changes.

Schermata 2023-08-19 alle 10.09.41.png

I run the command again:

Code: 
sudo /usr/sbin/shutdown -r now

Works. Why?
Schermata 2023-08-19 alle 10.10.43.png

When the server restarts, obviously I have to proceed with the described procedure again.
In other distributions everything works fine.
I need your help!
 
Last edited:
uroh said:
Why?
Click to expand...
Because your syntax is wrong. If you want a challenge - read this article and see if you can find the error:
https://medium.com/kernel-space/linux-fundamentals-a-to-z-of-a-sudoers-file-a5da99a30e7f

For impatient, the correct syntax is:
daniele ALL = (root) NOPASSWD: /usr/sbin/shutdown
or
daniele ALL = (ALL) NOPASSWD: /usr/sbin/shutdown


P.S.
uroh said:
Works. Why?
Click to expand...
because sudo remembers that you've already authenticated in this session. Remember you entered the password to run "visudo" ?

Blockbridge : Ultra low latency all-NVME shared storage for Proxmox - https://www.blockbridge.com/proxmox
 
Last edited:
bbgeek17 said:
Because your syntax is wrong. If you want a challenge - read this article and see if you can find the error:
https://medium.com/kernel-space/linux-fundamentals-a-to-z-of-a-sudoers-file-a5da99a30e7f

For impatient, the correct syntax is:
daniele ALL = (root) NOPASSWD: /usr/sbin/shutdown
or
daniele ALL = (ALL) NOPASSWD: /usr/sbin/shutdown
Click to expand...
I had already changed the syntax without any progress.
Code: 
# User privilege specification
root    ALL=(ALL:ALL) ALL

# allow daniele user to shutdown host without asking for password
daniele ALL=(root) NOPASSWD: /usr/sbin/shutdown

cat /var/log/auth.log

Code: 
2023-08-20T08:06:00.138783+02:00 pve1 sshd[12132]: Accepted publickey for daniele from 192.168.2.51 port 49024 ssh2: RSA SHA256:lxT77GS0PiJcWNom3DGr0newHnIS9h
KLWqeSfctzx4Q
2023-08-20T08:06:00.175309+02:00 pve1 sshd[12132]: pam_unix(sshd:session): session opened for user daniele(uid=1000) by (uid=0)
2023-08-20T08:06:00.195537+02:00 pve1 systemd-logind[2702]: New session 8 of user daniele.
2023-08-20T08:06:00.207253+02:00 pve1 (systemd): pam_unix(systemd-user:session): session opened for user daniele(uid=1000) by (uid=0)
2023-08-20T08:06:00.461770+02:00 pve1 sshd[12132]: pam_env(sshd:session): deprecated reading of user environment enabled
2023-08-20T08:06:00.513438+02:00 pve1 sudo: pam_unix(sudo:auth): conversation failed
2023-08-20T08:06:00.513933+02:00 pve1 sudo: pam_unix(sudo:auth): auth could not identify password for [daniele]
2023-08-20T08:06:00.515209+02:00 pve1 sshd[12157]: Received disconnect from 192.168.2.51 port 49024:11: disconnected by user
2023-08-20T08:06:00.515374+02:00 pve1 sshd[12157]: Disconnected from user daniele 192.168.2.51 port 49024
2023-08-20T08:06:00.516115+02:00 pve1 sshd[12132]: pam_unix(sshd:session): session closed for user daniele
2023-08-20T08:06:00.517776+02:00 pve1 systemd-logind[2702]: Session 8 logged out. Waiting for processes to exit.

bbgeek17 said:
P.S.

because sudo remembers that you've already authenticated in this session. Remember you entered the password to run "visudo" ?
Click to expand...
You're right, fatigue clouded my mind.

bbgeek17 said:
Blockbridge : Ultra low latency all-NVME shared storage for Proxmox - https://www.blockbridge.com/proxmox
Click to expand...
Any other suggestions to find the cause of the problem?
 
Last edited:
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom