FreeIPA sudoers rule - how to add NOPASSWD for ALL commands (no prompt for password)
5,435
You are probably looking for something along the lines:
ipa sudorule-add ANY \
--hostcat=all \
--cmdcat=all \
--runasusercat=all \
--runasgroupcat=all
ipa sudorule-add-user ANY \
--users=user --groups=group
ipa sudorule-add-option ANY \
--sudooption='!authenticate'
The last command is the NOPASSWD part.
DISCLAIMER: Please review. The rule above may allow more than you expect.
Author by
Alex
Updated on September 18, 2022Comments
-
Alex almost 2 years
Using FreeIPA for sudoers rules and I am attempting to create what would be the same as standard sudoers line(s) of:
user ALL=(ALL) NOPASSWD:ALL group ALL=(ALL) NOPASSWD:ALL
to allow a specific user or group to execute any/all commands without being prompted for their password.
This is not a duplicate of the below mentioned as my goal is circumvent the password prompt (use NOPASSWD). I already know how to setup for ALL commands.
Adding '!authenticate' option does not seem to work either (see below):
tester@server:~$ ipa sudorule-find ANY ------------------- 1 Sudo Rule matched ------------------- Rule name: ANY Enabled: TRUE Host category: all Command category: all RunAs User category: all RunAs Group category: all Users: tester External User: user Sudo Option: !authenticate ---------------------------- Number of entries returned 1 ---------------------------- tester@server:~$ tester@nvamgtwiki01:~$ sudo cat /etc/sudoers [sudo] password for tester:
-
ginerama over 4 yearsPossible duplicate of Using FreeIPA for centralized sudo - how to specify ALL commands?
-
Alexey Vazhnov over 4 years@alex, could you please paste here your
sudorule-add
arguments?
-
-
ricekab about 3 yearsFor anyone else looking at this, whilst this didn't work for the original poster it worked for my setup.