- How to setup passwordless `sudo` on Linux?
- 8 Answers 8
- How to Enable No Password Login in Ubuntu, Fedora, Manjaro & Linux Mint
- Requirements:
- Enable no password login for specific user:
- Password-less login for a group of users:
- Summary:
- How to run sudo command with no password?
- 6 Answers 6
- Creating a user without a password
- 7 Answers 7
How to setup passwordless `sudo` on Linux?
How can passwordless sudo access be setup on either RHEL (Fedora, CentOS, etc) or Ubuntu distributions? (If it’s the same across distros, that’s even better!) Setting: personal and/or lab/training equipment with no concern for unauthorized access (ie, the devices are on non-public networks, and any/all users are fully trusted, and the contents of the devices are «plain-vanilla»).
The answer from @Richipal is actullay the one working best with the least effort: it seems sudoers rules apply in reverse order.
@a1an rules are applied in the same order as listed in the sudoers file, and as they are applied they kind of override each other. Hence if I do not want a rule to change at all I would put it towards the end of file so that it is applied at the last and cannot be overridden.
8 Answers 8
EDIT thanks to medina’s comment: According to the man page, you should be able to write
ALL ALL = (ALL) NOPASSWD: ALL
to allow all users to run all commands without a password.
For reference, I’m leaving my previous answer:
If you add a line of the form
%wheel ALL = (ALL) NOPASSWD: ALL
to /etc/sudoers (using the visudo command, of course), it will let everyone in the group wheel run any commands without providing a password. So I think the best solution is to put all your users in some group and put a line like that in sudoers — obviously you should replace wheel with the actual group you use.
Alternatively, you can define a user alias,
User_Alias EVERYONE = user1, user2, user3, .
EVERYONE ALL = (ALL) NOPASSWD: ALL
although you would have to update /etc/sudoers every time you add or remove a user.
How to Enable No Password Login in Ubuntu, Fedora, Manjaro & Linux Mint
This simple tutorial shows how to enable password-less login for specific user in Linux PC. So, user doesn’t have to remember the password, just a single click will let in.
It’s easy to enable automatic login, even with a few seconds delay. But for multiple accounts (e.g., guest or user account for kids), remove the password authentication could be a better choice.
This tutorial is tested and works in Ubuntu 22.04, Ubuntu 20.04, Fedora 36, Manjaro GNOME, and Linux Mint 20/21
Requirements:
To enable this feature, you need login with a user account that has the ability to edit system config file (aka, administrator).
As well, new user account must have been login for the first time to generate user’s home folder.
Enable no password login for specific user:
1. Firstly, open terminal by either pressing Ctrl+Alt+T on keyboard (works in Ubuntu/Linux Mint), or searching from start menu or “Activities” overview.
2. When terminal opens, run the command below to edit the config file:
sudo gedit /etc/pam.d/gdm-password
Tip 1: For Ubuntu 22.10+ and Fedora 36 replacegedit
withgnome-text-editor
, so the command will be:sudo gnome-text-editor /etc/pam.d/gdm-password
Tip 2: This is for GNOME only, other desktop may have another config file under "/etc/pam.d" directory, such as "/etc/pam.d/lightdm" for Mint. Tip 3: Linux Mint user DON'T have to edit any config file. Just run bottom command to add user into 'nopasswdlogin' group.
3. When the config file opens, add the rule to the first line:
auth sufficient pam_succeed_if.so user = merilyn
Replace merilyn with the desired username and save the file!
That’s it! After saving the file, restart computer and click the username in login screen to see the magic!
Password-less login for a group of users:
Besides writing multiple lines in previous config file, you may add users to a certain group, and set to allow all users in that group to login without password.
1. First, open terminal and run command to create “nopasswdlogin” group.
sudo groupadd nopasswdlogin
2. Next, edit the config file via command:
sudo gedit /etc/pam.d/gdm-password
Replace gedit with your system text editor, such as gnome-text-editor for Fedora 36/Ubuntu22.10.
Add the line below and save it:
auth sufficient pam_succeed_if.so user ingroup nopasswdlogin
NOTE: Linux Mint only need to do last command in step 3 as 'nopasswdlogin' group already exist and well configured.
3. Finally, add (or remove) any user into/from that group ( nopasswdlogin ) to enable (or disable) password-less login.
For example, add user ‘merilyn’ to the group via command:
sudo gpasswd --add merilyn nopasswdlogin
replace —add with —delete will remove user from the group
Restart your machine to apply changes and done!
Summary:
Thing is quite easy in short. Just edit the configuration file under “/etc/pam.d” directory. Then add a rule to either allow certain user or all users from a group to login without password authentication. Linux Mint has a ‘nopasswdlogin’ group set for this stuff out-of-box, so simply add a user into that group can do the trick!
How to run sudo command with no password?
How does the ubuntu user on the AWS images for Ubuntu Server 12.04 have passwordless sudo for all commands when there is no configuration for it in /etc/sudoers ? I’m using Ubuntu server 12.04 on Amazon. I want to add a new user that has the same behavior as the default Ubuntu user. Specifically I want passwordless sudo for this new user. So I’ve added a new user and went to edit /etc/sudoers (using visudo of course). From reading that file it seemed like the default ubuntu user was getting it’s passwordless sudo from being a member of the admin group. So I added my new user to that. Which didn’t work. Then I tried adding the NOPASSWD directive to sudoers . Which also didn’t work. Anyway, now I’m just curious. How does the ubuntu user get passwordless privileges if they aren’t defined in /etc/sudoers . What is the mechanism that allows this?
6 Answers 6
Okay, I have discovered the answer so may as well put it here for completeness. At the end of /etc/sudoers there is what I thought was just a comment:
However this actually includes the contents of that directory. Inside of which is the file /etc/sudoers.d/90-cloudimg-ubuntu . Which has the expected contents
# ubuntu user is default user in cloud-images. # It needs passwordless sudo functionality. ubuntu ALL=(ALL) NOPASSWD:ALL
So that is where the sudo configuration for the default ubuntu user lives.
You should edit this file using visudo. The following command will let you edit the correct file with visudo.
sudo visudo -f /etc/sudoers.d/90-cloudimg-ubuntu
aychedee ALL=(ALL) NOPASSWD:ALL
In later versions (14.04 for example) the included file is /etc/sudoers.d/90-cloud-init-users (so to edit.. sudo visudo -f /etc/sudoers.d/90-cloud-init-users ). Although it’d be cleaner to create additional files than editing the generated one. Note that files containing a . or ending in ~ will not be included.
@Phil_1984_ Most likely, it was added as a comment to allow compatibility with other (standard?) versions of sudo, which don’t allow includes, but wouldn’t be tripped up by a weird comment. (Standards are hard! 😉
I found that the most straight forward thing to do, in order to easily replicate this behavior across multiple servers, was the following:
# Members of the admin group may gain root privileges %admin ALL=(ALL) ALL
# Members of the admin group may gain root privileges %admin ALL=(ALL) NOPASSWD:ALL
And move it under this line:
# Allow members of group sudo to execute any command %sudo ALL=(ALL:ALL) ALL
# This file MUST be edited with the 'visudo' command as root. # # Please consider adding local content in /etc/sudoers.d/ instead of # directly modifying this file. # # See the man page for details on how to write a sudoers file. # Defaults env_reset Defaults mail_badpass Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" # Host alias specification # User alias specification # Cmnd alias specification # User privilege specification root ALL=(ALL:ALL) ALL # Allow members of group sudo to execute any command %sudo ALL=(ALL:ALL) ALL # Members of the admin group may gain root privileges %admin ALL=(ALL) NOPASSWD:ALL # See sudoers(5) for more information on "#include" directives: #includedir /etc/sudoers.d
then for every user that needs sudo access WITH a password:
and for every user that needs sudo access WITH NO password:
(on older versions of ubuntu, you may need to):
sudo service sudo restart
Edit: You may have to add the admin group as I don’t think it exists by default.
You can also add the default AWS ubuntu user to the admin group via this command:
sudo usermod ubuntu -g admin
Note: As @hata mentioned, you may need to use adm as your admin group name, depending on which version of Ubuntu is being used.
Creating a user without a password
Nothing is wrong, the authentication failed as expected. You won’t get a «there is no password, you can’t login» error message.
Either create it as root and set the correct permissions, or execute su git as root where you don’t have to provide a password.
I just wanted to point out that letting the git user have Bash as a shell is a bad idea, security wise. That would allow users of this repo to get a shell in your server. If you set the shell to /usr/bin/git-shell you can limit their account to using git and nothing else. (You should also limit SFTP access but that can only be done from /etc/sshd_config). Now, once you changed the shell, «su» won’t work as-is. You’ll have to do «su -s /bin/sh git» instead.
7 Answers 7
The —disabled-password option will not set a password, meaning no password is legal, but login is still possible (for example with SSH RSA keys).
To create an user without a password, use passwd -d $username after the user is created to make the password empty. Note not all systems allow users with empty password to log in.
You’ve created a user with a “disabled password”, meaning that there is no password that will let you log in as this user. This is different from creating a user that anyone can log in as without supplying a password, which is achieved by specifying an empty password and is very rarely useful.
In order to execute commands as such “system” users who don’t log in normally, you need to hop via the root account:
If you want certain users to be able to run commands as the git user without letting them run commands as root, set up sudo (run visudo as root and add a line like %gitters ALL = (git) ALL ).
Ubuntu 19.10 seems like does not have —disabled-password parameter, could there be any alternative solution
@alper Write the full path: sudo -u git cat /wherever/main.py . Or add a cd command: sudo -u git sh -c ‘cd /wherever && cat main.py’ . If you want to be sure that the other user doesn’t get access to the current directory even if the command doesn’t do what was intended, change directories outside: (cd /wherever && sudo -u git cat main.py)
@alper You didn’t use the commands I posted. You used one of many variants (too many for me to guess the exact one) that would result in this particular error. You need to invoke a shell for cd and && .
If you want to access the system under the git user you should use sudo:
Create an user with empty password
sudo useradd test-user-0 echo test-user-0:U6aMy0wojraho | sudo chpasswd -e su test-user-0
The password prompt still shows unfortunately.
But if you just hit enter without typing anything, and it logins as the user test-user-0 .
The -e flags tells chpasswd that the password is already encrypted, and U6aMy0wojraho is the hash of the empty string.
Terminal autologin with getty -a
On the terminal at least, you don’t need to create an user without a password to allow someone to not type their passwords every time.
So I believe that it should not be very hard to adapt that technique by modifying Ubuntu 18.04’s systemd init system scripts to setup a getty -a terminal as mentioned in that answer, although I haven’t tried to do it myself.