200

How can passwordless sudo access be setup on either RHEL (Fedora, CentOS, etc) or Ubuntu distributions? (If it's the same across distros, that's even better!)

Setting: personal and/or lab/training equipment with no concern for unauthorized access (ie, the devices are on non-public networks, and any/all users are fully trusted, and the contents of the devices are "plain-vanilla").

warren
  • 17,829
  • 23
  • 82
  • 134
  • 2
    The answer from @Richipal is actullay the one working best with the least effort: it seems sudoers rules apply in reverse order. – a1an Jun 04 '15 at 12:27
  • 3
    @a1an rules are applied in the same order as listed in the sudoers file, and as they are applied they kind of override each other. Hence if I do not want a rule to change at all I would put it towards the end of file so that it is applied at the last and cannot be overridden. – rsjethani Sep 04 '16 at 09:59

8 Answers8

214

EDIT thanks to medina's comment: According to the man page, you should be able to write

ALL            ALL = (ALL) NOPASSWD: ALL

to allow all users to run all commands without a password.

For reference, I'm leaving my previous answer:

If you add a line of the form

%wheel         ALL = (ALL) NOPASSWD: ALL

to /etc/sudoers (using the visudo command, of course), it will let everyone in the group wheel run any commands without providing a password. So I think the best solution is to put all your users in some group and put a line like that in sudoers - obviously you should replace wheel with the actual group you use.

Alternatively, you can define a user alias,

User_Alias     EVERYONE = user1, user2, user3, ...

and use that:

EVERYONE       ALL = (ALL) NOPASSWD: ALL

although you would have to update /etc/sudoers every time you add or remove a user.

David Z
  • 5,376
  • 2
  • 24
  • 22
  • 2
    Doesn't `ALL` work rather than `*` to specify all users? See the example in `sudoers(5)`. – medina Jul 15 '10 at 10:58
  • 1
    @medina: so it does, I missed that when I was reading the man page. I'll edit. – David Z Jul 15 '10 at 17:26
  • 7
    under Ubuntu, creating a file under /etc/sudoers.d and put these entries in it then it will stop you having to edit sudoers – Xetius Oct 28 '12 at 20:18
  • 1
    In CentOS7, this entry is there by default, just commented out. – killjoy Apr 28 '18 at 10:22
  • 1
    Only managed to use it in centOS by copy/pasting, failed every attempts to type directly the configuration. But the result seems identical except for spaces... – MUY Belgium Jun 28 '18 at 08:31
  • Note that you might need to log out and then log in for the changes to take effect – sjking Apr 06 '20 at 04:56
138

I tried the solutions above to no avail. The following solution worked for me Edit the /etc/sudoers file and add the following line

username ALL=(ALL) NOPASSWD: ALL

The key is to add it after the last line which says 

#includedir /etc/sudoers.d
Richipal
  • 1,481
  • 1
  • 9
  • 2
  • 1
    // , This looks like the better way to do it, especially when certain applications will add their own rules for system users, Richipal. More info on sudoers.d: http://www.sudo.ws/man/1.8.13/sudoers.man.html – Nathan Basanese Aug 27 '15 at 17:18
  • 6
    The issue with ignoring %wheel's NOPASSWD seems to arise from `/etc/sudoers.d/USERNAME` overriding the group's NOPASSWD permission. Applying NOPASSWD in `/etc/sudoers.d/USERNAME` resolves the problem. – eel ghEEz Jul 31 '17 at 15:03
  • 3
    Big ups to this one, after the include is important – Theodore Howell Apr 08 '19 at 17:50
  • 1
    Very questionable to have `#include` be a special syntax in a `#`-commented config file... – phil294 Jun 26 '19 at 10:55
31

I tried all the answers on this page, with no useful results. Eventually I figured it out, use this command to list your sudo rights:

sudo -l

This should give you an output like this:

User gmurphy may run the following commands on this host:
    (root) NOPASSWD: ALL
    (ALL) ALL

It shows that I'm configured with root privileges but that I'm still part of a group (admin) matched to a sudo rule which expects the password ("(ALL) ALL"). This was forcing sudo to prompt me. The rule in question was the admin users:

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

Once I commented this out, I was able to sudo without password. I hope this is of use to someone else.

Gearoid Murphy
  • 418
  • 4
  • 6
  • 1
    Ahhh, thanks! This was driving me nuts... in my case, my user was part of the "sudo" group as well as "admin" (which I created), and the permissions on each were mis-matched, as they were in your case. Now this stuff works! :) – neezer May 06 '12 at 22:28
  • 15
    Commenting a line out is a blunt instrument. You may be interested to hear that "sudo reads the sudoers file and applies permissions in order from top to bottom. So the last line in the file will overwrite any previous conflict" according to http://ubuntuforums.org/showthread.php?t=1132821 -- and this worked for me. – David J. Jan 15 '13 at 04:08
12

Within /etc/sudoers there's an example of just that towards the bottom of the file:

## Same thing without a password
# %wheel        ALL=(ALL)       NOPASSWD: ALL
Ignacio Vazquez-Abrams
  • 45,019
  • 5
  • 78
  • 84
6

There is another way to do it without touching the sudoers file.

  • Edit /etc/pam.d/su and uncomment the line below:

    auth           sufficient      pam_wheel.so trust use_uid

  • Add the user to the wheel group.

Daniel Serodio
  • 249
  • 3
  • 10
topdog
  • 3,490
  • 16
  • 13
3

This is an old thread, but it's interesting that no one has added the system default authenticate to this answer list. Using an entry of

Defaults  !authenticate

In the sudoers file would allow any user to use their defined sudo commands without any password authentication. It's part of the default sudo specification and is portable across all platforms, as specified in the OP. And, if you need to scope it to a specific user, try

Defaults:<user_name>  !authenticate
Thomas N
  • 436
  • 2
  • 9
2

There is another way to do it without touching the sudoers file.

  • Edit /etc/pam.d/sudo and add the line below:

    auth           sufficient      pam_wheel.so trust use_uid

  • Add the user to the wheel group.

Props to "topdog" and "Daniel Serodio" for the original answer with regard to "su" rather than "sudo". I used that as a reference and shamelessly copied, and amended, their post.

Community
  • 1
noabody
  • 41
  • 2
  • 1
    I think instead of copying verbatim, it would be better to credit them, but be clear about how exactly your answers differ. I assume this allows passwordless `su`, instead of/as well as passwordless `sudo`? Daniel's addition is just formatting, by the way. – mwfearnley Aug 22 '18 at 10:01
1
echo -e "\n$USER ALL=(ALL) NOPASSWD: ALL\n" | sudo tee -a /etc/sudoers
sudo cat /etc/sudoers

reopen terminal, verify that you are not asked for your password:

sudo echo "it works!"
masterxilo
  • 119
  • 3