Misc: Adding/Enabling a Linux user via ssh public key w/ sudo and to not require a password.

This is a very specific use case, but is helpful when working w/ cloud instance VM's that don't make use of central auth.  The following script essentially adds a user to Linux so that they can ssh into the system w/ using their ssh public key and utilize sudo if granted.  Running sudo as these users typically requires a password be set.  In this case, we are not setting a password on the account as  This script circumvents the need for users to provide a password.

Effectively, the script works like so:
  • An existing sudoer/root/admin must run this script.
  • You provide a username and the user's ssh public key.
  • Set sudoer to true or false (or anything other than true really)
  • customsudofile path defaults to /etc/sudoers.d/nopasswd
    • Essentially, anything in sudoers.d path is ingested by sudoer file as an override.
  • customsudodata is what you want to insert into the custom sudo file.
    • Default set to allow sudo members to invoke sudo w/o a password.
  • Set nopasswdallow to true to insert customsudo file.
The script will then add the user to the system, authorize their public key for ssh access.  If sudoer is set to true, they will also be added to the sudo "group".  Finally if "nopasswdallow" is set to true, a file will be created to override the default sudoer file to allow no passwords for sudo members.

This really should go without saying, but this type of setup is a security/operational nightmare.  Do yourself a favor and ALWAYS use central auth or some kind of managed identity solution.  I only put this out there because I find an occasional need to do something quick and dirty to empower others.  ALWAYS follow-up and destroy or re-setup a proper solution.


Popular posts from this blog

NSX-T: vCenter and NSX-T Inventory out of Sync (Hosts in vSphere not showing up in NSX-T)

NSX-T: Release associated invalid node ID from certificate

MacOS: AnyConnect VPN client was unable to successfully verify the IP forwarding table modifications.