Why is sudo telling me the password is wrong

openbsdpasswordsudouseraddusers

I recently installed OpenBSD 4.9 in my computer, so I could learn a little bit about Unix-like operating systems. I added a new user to the system called bruno. Ok. When I use the 'sudo' command, it asks me for a password. So, I enter the password. But it keeps me telling that the password is wrong, even though I'm sure that the password is correct. What am I missing here? I know if add

 bruno ALL = (ALL) NOPASSWD: ALL

to the /etc/sudoers file it stops asking for the password, and I can execute the sudo command. What should I do here? What's the most correct/secure option? I'm sorry if it's a trivial question. I couldn't find a good explanation for this issue. I'm not only looking for solutions, but for explanations on how this whole user/permission/password thing works.

Best Answer

This is an illustration of the difference between authentication and authorization.

Sudo is primarily a tool for authorization. Its job is to determine whether you are allowed to execute a command with elevated privileges, and if you are, to execute that command. An entry like

bruno ALL = (ALL): ALL

in the sudoers file allows the user bruno to execute any command with any privilege.

In order to apply this rule, Sudo needs to know that the user invoking it is indeed bruno. In principle, it can rely on the system's authentication mechanism: if you can run commands as bruno, it means you've already authenticated as bruno. However, since using Sudo can have major consequences, Sudo requires some extra authentication: you need to type your password again, sometimes. This means that if you've left your console unattended and a passer-by gets to run command as bruno, they won't be able to use Sudo: they might be able to damage your account, but not the rest of the system.

Another advantage of requesting a password is that it alerts you that something unusual is taking place. For example, an application cannot silently call sudo: it would need to ask you for your password, and an unexpected password prompt would alert you that something bad is taking place.

In practice, asking for a password each and every time you run Sudo would be annoying. Therefore the default behavior is to compromise: ask for a password every few minutes. This way, a passerby or application can cause harm by running sudo only if you've done it within the last few minutes.

Related Solutions

Sudo – impersonating a user

So as you said yourself @krzysto, the solution is to add the following to the sudoers file

beans ALL = (root,apache) NOPASSWD: /usr/bin/ksh -c /opt/renovations/var/script-*.sh 
beans ALL = (root,apache) NOPASSWD: /usr/bin/bash -c /opt/renovations/var/script-*.sh

The next piece that is missing is to make sure that the group has execute permissions on the scripts, so that you can execute them.

Why can’t I use sudo on OpenBSD

The error message tells you what is wrong even if it doesn't tell you exactly how to fix it.

adminvpn is not in the sudoers file.

sudo lets you run commands as the administrator. In order to be able to use sudo, you need to be made an administrator. Accounts are not made administrators by default.

Run the command visudo (as root, of course) and add a line like the following:

adminvpn ALL=(ALL) ALL

Save the file and exit. You can now run any command as root with sudo.

Note that visudo will run your favorite editor, as indicated by the environment variable VISUAL. If you haven't configured that, you'll get vi. If you're uncomfortable with vi, install another editor (e.g. pkg_add nano) and add a line like export VISUAL=nano to ~/.profile; run the command in your interactive shell as well for it to take effect in the current session.

Unless configured otherwise, sudo requires you to type your own password. Knowledge of the root password is not necessary, that's the point of sudo`. The point of typing your password is to make sure it isn't someone else typing while you left your keyboard unattended.

By the way, OpenBSD isn't the most beginner-friendly unix out there. If you want a gentler learning curve, try Ubuntu.

Best Answer

Related Solutions

Sudo – impersonating a user

Why can’t I use sudo on OpenBSD

Related Question