Disable su and sudo access for users
You do not create a user using SSH keys. The user logs in to the machine using SSH keys after creation.
For sudo, there is no difference in how the user authenticates.
To prevent users from using sudo, remove them from the group sudo. To prevent them from using su, don't tell them the root password.
Related videos on Youtube
07 : 13
19 : 10
02 : 27
09 : 36
08 : 51
Siddarth Hegde
Updated on September 18, 2022Comments
-
Siddarth Hegde over 1 year
I have created a couple of users who use their SSH Keys to log in on a server.
I don't want any user to have root access, i.e, no user should be able to do
sudo suorsu - another user.When I check the user, I can see only these
id user uid=1001(user) gid=1001(user) groups=1001(user)I have checked across the internet, I found how to disable
sudoaccess for users with a password but I want to disable it for users who are using their SSH keys to log in?I want to disable
sudoandsuaccess for user that log in using SSH. How will I do it?Edit 01:
I have done the following;
sudo deluser user sudo /usr/sbin/deluser: The user is not a member of group `sudo'.and
sudo gpasswd -d user sudo Removing the user from group sudo gpasswd: the user is not a member of 'sudo'After that, I checked
sudo -l -U user User may run the following commands on the server: (ALL) NOPASSWD: ALLUser is still able to run
sudo suand get root access.EDIT 02:
@Panki, The snippet
visudo # User privilege specification root ALL=(ALL:ALL) ALL # Members of the admin group may gain root privileges %admin ALL=(ALL) ALL # Allow members of group sudo to execute any command %sudo ALL=(ALL: ALL) ALL-
Panki about 4 yearsWell, you forgot to mention in your question that your/etc/sudoersfile allows anybody without a password to run every command asroot. This is a very bad idea for obvious reasons. You should edit the file (usevisudofor this) and restore a sane state. -
Kamil Maciorowski about 4 years
(ALL) NOPASSWD: ALLcomes from somewhere. If it's not directly in thesudoersfile then maybe the file contains#includeor#includedir(they are not comments). Learn what they do (seeman 5 sudoers), locate files/directories they point to and investigate. If you need to change anything, usevisudo -f.
-
-
Siddarth Hegde about 4 yearsThanks, @Panki, I have also done the following which I have added in the edit. User access only using SSH, not password
