Disable su and sudo access for users
You do not create a user using SSH keys. The user logs in to the machine using SSH keys after creation.
For sudo
, there is no difference in how the user authenticates.
To prevent users from using sudo
, remove them from the group sudo
. To prevent them from using su
, don't tell them the root password.
Related videos on Youtube
Siddarth Hegde
Updated on September 18, 2022Comments
-
Siddarth Hegde over 1 year
I have created a couple of users who use their SSH Keys to log in on a server.
I don't want any user to have root access, i.e, no user should be able to do
sudo su
orsu - another user
.When I check the user, I can see only these
id user uid=1001(user) gid=1001(user) groups=1001(user)
I have checked across the internet, I found how to disable
sudo
access for users with a password but I want to disable it for users who are using their SSH keys to log in?I want to disable
sudo
andsu
access for user that log in using SSH. How will I do it?Edit 01:
I have done the following;
sudo deluser user sudo /usr/sbin/deluser: The user is not a member of group `sudo'.
and
sudo gpasswd -d user sudo Removing the user from group sudo gpasswd: the user is not a member of 'sudo'
After that, I checked
sudo -l -U user User may run the following commands on the server: (ALL) NOPASSWD: ALL
User is still able to run
sudo su
and get root access.EDIT 02:
@Panki, The snippet
visudo # User privilege specification root ALL=(ALL:ALL) ALL # Members of the admin group may gain root privileges %admin ALL=(ALL) ALL # Allow members of group sudo to execute any command %sudo ALL=(ALL: ALL) ALL
-
Panki about 4 yearsWell, you forgot to mention in your question that your
/etc/sudoers
file allows anybody without a password to run every command asroot
. This is a very bad idea for obvious reasons. You should edit the file (usevisudo
for this) and restore a sane state. -
Kamil Maciorowski about 4 years
(ALL) NOPASSWD: ALL
comes from somewhere. If it's not directly in thesudoers
file then maybe the file contains#include
or#includedir
(they are not comments). Learn what they do (seeman 5 sudoers
), locate files/directories they point to and investigate. If you need to change anything, usevisudo -f
.
-
-
Siddarth Hegde about 4 yearsThanks, @Panki, I have also done the following which I have added in the edit. User access only using SSH, not password