Home / ubuntu / Questions / 1320392
Accepted
Gqqnbig
Asked: 2021-03-02 19:58:00 +0800 CST

IP rules in sudoers file don't work

  • 772

I have two servers, a and b. When I login to a, then ssh to b, I don't want to enter password for sudo commands.

On b, I set if the host is 172.25.9.13, sudo requires no password.

gqqnbig@b:~$ sudo cat /etc/sudoers.d/cluster-create-user
%sudo 172.25.9.13=(ALL) NOPASSWD: ALL
gqqnbig@b:~$ sudo cat /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults        env_reset
Defaults        mail_badpass
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL:ALL) ALL

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL

# Limit members of group sudo to execute any command, except
test ALL=ALL, !/bin/su

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d

Now I log in to a, make sure the IP of a is 172.25.9.13. Then I ssh to b. However, sudo on b still requires password.

gqqnbig@a:~$ ifconfig
eno1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.25.9.13  netmask 255.255.255.0  broadcast 172.25.9.255
        inet6 fe80::3648:edff:fef9:9c1c  prefixlen 64  scopeid 0x20<link>
        ether 34:48:ed:f9:9c:1c  txqueuelen 1000  (Ethernet)
        RX packets 492366  bytes 127428889 (127.4 MB)
        RX errors 0  dropped 212004  overruns 0  frame 0
        TX packets 133728  bytes 21062341 (21.0 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 33

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 2865  bytes 266771 (266.7 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2865  bytes 266771 (266.7 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0


gqqnbig@a:~$ ssh b
...
Last login: Tue Mar  2 11:15:57 2021 from 172.28.80.67
gqqnbig@b:~$ sudo mkdir
[sudo] password for gqqnbig:

Why doesn't the IP rule work? How do I debug it?

ssh

1 Answers

  1. Best Answer

    The Host is the system where the sudo command is run. It has nothing to do with any remote system you might be connecting from (about which sudo doesn't know anything in the first place). A Host spec of 172.25.9.13 matches if one of b's interfaces has 172.25.9.13 as the IP.

    (This is probably useful in a setup where the same sudoers file is shared across multiple systems.)

    • 1