Execute sudo without Password?

Question

Inspired by this question....

I am the sole person using my system with 12.04.
Every time I issue a sudo command; the system asks for the user password (which is good in its own way).
However I was thinking; without activating the root account; how can I execute the sudo commands which will not ask for user password to authenticate.

NOTE: I want to execute sudo command without authenticating via password; only when they are executed via terminal.
I don't want to remove this extra layer of security from other functions such a while using 'Ubuntu software center' or executing a bash script by drag-drop something.sh file to the terminal.

Answer 1

You can configure sudo to never ask for your password.

Open a Terminal window and type:

sudo visudo

In the bottom of the file, add the following line:

$USER ALL=(ALL) NOPASSWD: ALL

Where $USER is your username on your system. Save and close the sudoers file (if you haven't changed your default terminal editor (you'll know if you have), press Ctl + x to exit nano and it'll prompt you to save).

As of Ubuntu 19.04, the file should now look something like

#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults    env_reset
Defaults    mail_badpass
Defaults    secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL:ALL) ALL

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d

YOUR_USERNAME_HERE ALL=(ALL) NOPASSWD: ALL

After this you can type sudo <whatever you want> in a Terminal window without being prompted for the password.

This only applies, to using the sudo command in the terminal. You'll still be prompted for your password if you (for example) try to install a package from the software center

Answer 2

The preferred way to grant individual (or group) permissions would be to add files under /etc/sudoers.d

This separates local changes from the default policy and saves time in case the distribution sudoers file changes.

To make the currently logged in user a a sudoer and make sudo not prompt them for a password, use

echo "$USER ALL=(ALL:ALL) NOPASSWD: ALL" | sudo tee /etc/sudoers.d/$USER

this will create a file called /etc/sudoers.d/$USER (where $USER is the username of the user that you were logged in as when you ran that command), making it clear which users are granted permission.

If you want to do that for a different user, just replace both instances of $USER with some other username in the above command.

echo "otheruser ALL=(ALL:ALL) NOPASSWD: ALL" | sudo tee /etc/sudoers.d/otheruser

Similarly, one file can be used to manage multiple directives:

echo "username ALL=(ALL:ALL) NOPASSWD: ALL" | sudo tee -a /etc/sudoers.d/local

See /etc/sudoers.d/README and man sudoers for more information.

This setup works because on Ubuntu the /etc/sudoers file contains a line:

@includedir /etc/sudoers.d

which includes files from the /etc/sudoers.d directory.

Answer 3

sudo -i is the way to go if you don't want to be typing a password every 10 mins while doing modifications in your system (or other systems), and you don't want to modify any system files.

It will switch you to root using your sudo user password, when you close the console or type exit you are back to your normal user.

Answer 4

Root sudo timeouts are the easiest and safest way of doing this. I'll lay out all examples but be warned it is very risky any way you do this although this way is much safer:

sudo visudo

This opens an editor and points it to the sudoers file -- Ubuntu defaults to nano, other systems use Vi. You're now a super user editing one of the most important files on your system. No stress!

(Vi specific instructions noted with (vi!). Ignore these if you're using nano.)

Use the arrow keys to move to the end of the Defaults line.

(vi!) press the A (capital "a") key to move at the end of the current line and enter editing mode (append after the last character on the line).

Now type:

,timestamp_timeout=X

where X is the timeout expiration in minutes. If you specify 0 you will always be asked the password. If you specify a negative value, the timeout will never expire. E.g. Defaults env_reset,timestamp_timeout=5.

(vi!) hit Escape to return to command mode. Now, if you're happy with your editing, type in :w Enter to write the file and :q Enter to exit vi. If you made a mistake, perhaps the easiest way is to redo from start, to exit without saving (hit Escape to enter the command mode) and then type :q! Enter.

Hit Ctrl+X, then Y, then Enter to save your file and exit nano.

You might want to read the sudoers and vi manual pages for additional information.

man sudoers
man vi

Reset timeout value using:

sudo -k

These instructions are to remove the prompt for a password when using the sudo command. The sudo command will still need to be used for root access though.

Edit the sudoers file

Open a Terminal window. Type in sudo visudo. Add the following line to the END of the file (if not at the end it can be nullified by later entries):

<username> ALL=NOPASSWD: ALL

Replace <username> with your username (without the <>). You can alternately use the group users or any other such group you are in if you prepend %. Just make sure you are in that group. This can be checked by going to System -> Administration -> Users and Groups.

Example:

michael ALL=NOPASSWD: ALL

Type in ^X (Ctrl+X) to exit. This should prompt for an option to save the file, type in Y to save.

Log out, and then log back in. This should now allow you to run the sudo command without being prompted for a password.

The root account

Enabling the root account

Enabling the root account is rarely necessary. Almost everything you need to do as administrator of an Ubuntu system can be done via sudo or gksudo. If you really need a persistent root login, the best alternative is to simulate a Root login shell using the following command:

sudo -i

However, if you must enable root logins, you can do it like this:

sudo passwd root

Re-disabling your root account

If for some reason you have enabled your root account and wish to disable it again, use the following command in the terminal:

sudo passwd -dl root

System-wide group sudo

root$ echo "%sudo ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers

Log out, and then back in.

Reset sudo timeout

You can make sure sudo asks for password next time by running:

sudo -k

Answer 5

From Super User comes a good answer:

Use the -S switch which reads the password from STDIN:

echo <password> | sudo -S <command>

Replace <password> with your password.

Answer 6

Of course what you want to do isn't recommended. After a while, though entering sudo becomes so automatic that its usefulness diminishes.

Another approach is to leave your sudoers file as is and, while doing something complicated to your umpteen hundred servers, enter sudo bash . That will give you a shell that will be authenticated as root until you exit it.

Answer 7

This is a one line solution that also changes files permissions as stated in /etc/sudoers.d/README:

sudo sh -c 'echo "$(logname) ALL=(ALL:ALL) NOPASSWD: ALL" > /etc/sudoers.d/$(logname)' && sudo chmod 440 /etc/sudoers.d/$(logname)

Answer 8

Nice one-liner to remove sudo prompts for the current user

sudo bash -c 'echo "$(logname) ALL=(ALL:ALL) NOPASSWD: ALL" | (EDITOR="tee -a" visudo)'

Answer 9

One liner

sudo sed -i /etc/sudoers -re 's/^%sudo.*/%sudo ALL=(ALL:ALL) NOPASSWD: ALL/g'

Answer 10

• Expanding on @upteryx idea.

• This is how I've implemented the non-root, passwordless user in an ephemeral Docker Image for use in a CICD pipeline:

RUN \
    groupadd -g 999 foo && useradd -u 999 -g foo -G sudo -m -s /bin/bash foo && \
    sed -i /etc/sudoers -re 's/^%sudo.*/%sudo ALL=(ALL:ALL) NOPASSWD: ALL/g' && \
    sed -i /etc/sudoers -re 's/^root.*/root ALL=(ALL:ALL) NOPASSWD: ALL/g' && \
    sed -i /etc/sudoers -re 's/^#includedir.*/## **Removed the include directive** ##"/g' && \
    echo "foo ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers && \
    echo "Customized the sudoers file for passwordless access to the foo user!" && \
    echo "foo user:";  su - foo -c id

Answer 11

To never prompt the current user for a password when that user uses sudo run this command:

echo "$USER ALL=(ALL:ALL) NOPASSWD: ALL" | sudo tee /etc/sudoers.d/dont-prompt-$USER-for-sudo-password

Answer 12

Open sudo config:

sudo visudo

add following line:

# Defaults specification 
Defaults:username  !authenticate

where username is your usesrname.

Answer 13

SECURITY CONSIDERATIONS: I agree there are some cases where an user with a password has little sense, and may also decrease security. For example, if you have a shared computer with dedicated admin accounts (trusted skilled coworkers, whatever) that access only via SSH keys: you already have military-level security, so, having an extra password may be not necessary, and it causes to have another secret to be kept secret. Do your evaluations. But in that case, or similar ones...

---

Avoid to allow-list a single User

In any case, it's not ideal to allow-list every specific user in the sudoers configuration. It's very probably better to rely on groups instead.

For example, you can have a group "to sudo without a password". And every user in that group is allowed to do so.

A group would dramatically simplify auditing, in my opinion.

Also, with a group, you can use standard tools to manage users. This dramatically decrease human mistakes. With a group, there are less risks to break your critical sudo system.

In short, first, create a group.

Option 1: create a group "Wheel"

Some distributions adopt a dedicated group called wheel. Users in that group do not need a sudo password. To continue this tradition:

Create the wheel group (if it does not already exist):

sudo addgroup wheel

Then, edit your sudo configuration, to make that group special.

(you need to know how to edit a file from the terminal with vi or a similar editor)

sudo visudo

Add this line:

# Members of the wheel group can execute sudo without password
%wheel ALL=(ALL) NOPASSWD:ALL

Done!

Then, you can assign yourself or any other user in the wheel group, and that is all, to have no password for sudo:

sudo usermod -aG daisy wheel
sudo usermod -aG mario wheel
sudo usermod -aG peach wheel
sudo usermod -aG luigi wheel
sudo usermod -aG roby  wheel

So you can use standard User permissions to manage this, to revoke this in any moment.

Option 2: "Just change sudo"

Instead of creating a wheel group, that may be overkill for you, you can allow all your sudo users to always have no password. To do so, edit your sudo configuration:

sudo visudo

Then, identify this line (or similar):

%sudo ALL=(ALL:ALL) ALL

And replace that line with this one (or similar):

%sudo ALL=(ALL) NOPASSWD:ALL

---

Anyway, you can get lot of extra information in the official documentation:

https://manpages.ubuntu.com/manpages/noble/en/man5/sudoers.5.html