Why is sudo telling me my password is wrong?

users sudo openbsd password useradd
24,925

Solution 1

This is an illustration of the difference between authentication and authorization.

Sudo is primarily a tool for authorization. Its job is to determine whether you are allowed to execute a command with elevated privileges, and if you are, to execute that command. An entry like

bruno ALL = (ALL): ALL

in the sudoers file allows the user bruno to execute any command with any privilege.

In order to apply this rule, Sudo needs to know that the user invoking it is indeed bruno. In principle, it can rely on the system's authentication mechanism: if you can run commands as bruno, it means you've already authenticated as bruno. However, since using Sudo can have major consequences, Sudo requires some extra authentication: you need to type your password again, sometimes. This means that if you've left your console unattended and a passer-by gets to run command as bruno, they won't be able to use Sudo: they might be able to damage your account, but not the rest of the system.

Another advantage of requesting a password is that it alerts you that something unusual is taking place. For example, an application cannot silently call sudo: it would need to ask you for your password, and an unexpected password prompt would alert you that something bad is taking place.

In practice, asking for a password each and every time you run Sudo would be annoying. Therefore the default behavior is to compromise: ask for a password every few minutes. This way, a passerby or application can cause harm by running sudo only if you've done it within the last few minutes.

Solution 2

You should read the manual: man sudo (Also here), and I'm not sure what the rules are but on most unix systems sudo is only allowed by users in the wheel group. So you should either make a rule for this new user that requires the password, or you add the user to the wheel group. (Use usermod -a -G wheel bruno)

Share:
24,925

Related videos on Youtube

Bruno Calza
Author by

Bruno Calza

Updated on September 18, 2022

Comments

  • Bruno Calza
    Bruno Calza over 1 year

    I recently installed OpenBSD 4.9 in my computer, so I could learn a little bit about Unix-like operating systems. I added a new user to the system called bruno. Ok. When I use the 'sudo' command, it asks me for a password. So, I enter the password. But it keeps me telling that the password is wrong, even though I'm sure that the password is correct. What am I missing here? I know if add 

     bruno ALL = (ALL) NOPASSWD: ALL

    to the /etc/sudoers file it stops asking for the password, and I can execute the sudo command. What should I do here? What's the most correct/secure option? I'm sorry if it's a trivial question. I couldn't find a good explanation for this issue. I'm not only looking for solutions, but for explanations on how this whole user/permission/password thing works.

    • Admin
      Admin over 12 years
      When you run sudo with password, it asks you for your password. Is that what you are entering?
    • Admin
      Admin over 12 years
      @Mat: "When you run sudo with password, it asks you for your password." ...Which is, by the way, the most socially destructive "default behavior" I've seen in the Linux world so far. Ultimately it must lead to ignorance (such as presented in this question).
    • Admin
      Admin over 12 years
      @rozcietrzewiacz: The point is that sudo can be used by users who don't know the root password. For example, the system owner can grant certain users permission to execute certain commands without granting them full root access. (It also reduces the exposure of the root password to keyloggers and shoulder-surfing.) As for the ignorance you lament, it can be cured by answering the question; see below.
    • Admin
      Admin over 12 years
      @KeithThompson Ok, I see did not express myself clear. It's not about how sudo can be used (it is a very useful tool!) - it's about how it is set up by default on distros like Ubuntu. Ignorance can and should be cured of course (this is partially what this site is for). The problem is, what dangerous trends the default sudo config creates.
    • Admin
      Admin over 12 years
      @rozcietrzewiacz: I still don't know what problem you're referring to.
  • Gilles 'SO- stop being evil'
    Gilles 'SO- stop being evil' over 12 years
    The requirement for the invoking user to be in the wheel group is common on some unix variants (but not on Linux) for su. Sudo doesn't treat wheel as special; a line with %wheel ALL=(ALL) ALL in sudoers would implement the traditional wheel policy, but it's not part of the default configuration.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Sudo is not asking for password on Ubuntu 16.04
How to create a user with given password on SuSE from command line?
Can I sudo a command on behalf of another user?
usermod to change user password is not working
User without a password - how can one login into that account from a non-root account
Can a linux user change their password without knowing the current password?
Home directory for system users
How to get the name of the user that launched `sudo`
Allow chown command to www-data user
How to add my user account to admin group (13.10 desktop)