Why is sudo telling me my password is wrong?
Solution 1
This is an illustration of the difference between authentication and authorization.
Sudo is primarily a tool for authorization. Its job is to determine whether you are allowed to execute a command with elevated privileges, and if you are, to execute that command. An entry like
bruno ALL = (ALL): ALL
in the sudoers
file allows the user bruno
to execute any command with any privilege.
In order to apply this rule, Sudo needs to know that the user invoking it is indeed bruno
. In principle, it can rely on the system's authentication mechanism: if you can run commands as bruno
, it means you've already authenticated as bruno
. However, since using Sudo can have major consequences, Sudo requires some extra authentication: you need to type your password again, sometimes. This means that if you've left your console unattended and a passer-by gets to run command as bruno
, they won't be able to use Sudo: they might be able to damage your account, but not the rest of the system.
Another advantage of requesting a password is that it alerts you that something unusual is taking place. For example, an application cannot silently call sudo
: it would need to ask you for your password, and an unexpected password prompt would alert you that something bad is taking place.
In practice, asking for a password each and every time you run Sudo would be annoying. Therefore the default behavior is to compromise: ask for a password every few minutes. This way, a passerby or application can cause harm by running sudo
only if you've done it within the last few minutes.
Solution 2
You should read the manual: man sudo
(Also here), and I'm not sure what the rules are but on most unix systems sudo is only allowed by users in the wheel
group. So you should either make a rule for this new user that requires the password, or you add the user to the wheel group. (Use usermod -a -G wheel bruno
)
Related videos on Youtube
Bruno Calza
Updated on September 18, 2022Comments
-
Bruno Calza over 1 year
I recently installed OpenBSD 4.9 in my computer, so I could learn a little bit about Unix-like operating systems. I added a new user to the system called bruno. Ok. When I use the 'sudo' command, it asks me for a password. So, I enter the password. But it keeps me telling that the password is wrong, even though I'm sure that the password is correct. What am I missing here? I know if add
bruno ALL = (ALL) NOPASSWD: ALL
to the /etc/sudoers file it stops asking for the password, and I can execute the sudo command. What should I do here? What's the most correct/secure option? I'm sorry if it's a trivial question. I couldn't find a good explanation for this issue. I'm not only looking for solutions, but for explanations on how this whole user/permission/password thing works.
-
Admin over 12 yearsWhen you run sudo with password, it asks you for your password. Is that what you are entering?
-
Admin over 12 years@Mat: "When you run sudo with password, it asks you for your password." ...Which is, by the way, the most socially destructive "default behavior" I've seen in the Linux world so far. Ultimately it must lead to ignorance (such as presented in this question).
-
Admin over 12 years@rozcietrzewiacz: The point is that
sudo
can be used by users who don't know the root password. For example, the system owner can grant certain users permission to execute certain commands without granting them full root access. (It also reduces the exposure of the root password to keyloggers and shoulder-surfing.) As for the ignorance you lament, it can be cured by answering the question; see below. -
Admin over 12 years@KeithThompson Ok, I see did not express myself clear. It's not about how
sudo
can be used (it is a very useful tool!) - it's about how it is set up by default on distros like Ubuntu. Ignorance can and should be cured of course (this is partially what this site is for). The problem is, what dangerous trends the defaultsudo
config creates. -
Admin over 12 years@rozcietrzewiacz: I still don't know what problem you're referring to.
-
-
Gilles 'SO- stop being evil' over 12 yearsThe requirement for the invoking user to be in the
wheel
group is common on some unix variants (but not on Linux) forsu
. Sudo doesn't treatwheel
as special; a line with%wheel ALL=(ALL) ALL
insudoers
would implement the traditional wheel policy, but it's not part of the default configuration.