Setting up users for ubuntu for ssh connection

Question

I have created a new Ubuntu server and in root user, I created a new user. The steps I followed:

sudo adduser tom sudo su - tom mkdir .ssh chmod 700 .ssh touch .ssh/authorized_keys chmod 600 .ssh/authorized_keys nano .ssh/authorized_keys // paste public key 

It seems okay and I can login as [email protected]. However when I logged in as Tom, it asks for permission and when I sudo something it asks for password, and I don't have a password for him so I use my root password, so it warns:

[sudo] password for tom: tom is not in the sudoers file. This incident will be reported.

From my root user, I tried adding tom in visudo as

root ALL=(ALL:ALL) ALL tom ALL=(ALL:ALL) ALL 

but this didn't change anything.

What is the proper way of this setup so Tom has permission to run stuff and the only password asked to him is his ssh password? Tom should run stuff like sudo npm install or sudo composer install with his ssh password and maybe he shouldn't even know root password

What am I missing here?

Answer 1

EDIT:

Based on a second reading, if you still want the password prompted for Tom to use sudo, you would want:

tom ALL = ALL: ALL 

If you want tom to be able to run sudo without a password at all, use the below answer.

---

I believe you would want the line to be:

tom ALL = NOPASSWD: ALL 

Explanation:

tom is the user this line applies to, the first ALL is which hosts this applies to, NOPASSWD is a tag that specifies a password is not required, and the final ALL specifies what commands tom can run via sudo.

Note that if you want to restrict what commands (or even combinations of commands & arguments), you can replace the second ALL. For example:

tom ALL = NOPASSWD: /bin/kill, /usr/bin/lprm 

See the Sudoers man page and an alternative man page with additional examples about 80% down the page.

Answer 2

You can do the following from root, or with sudo from your main user:

usermod -aG sudo tom 

This will add your user tom to the 'sudo' group and thats all what should be needed. Since this makes changes to the /etc/sudoers file unnecessary you can revert your changes there, unless you want to remove the security layer of asking for a password for sudo commands. If you want this you should use the line (as stated by @JasonRush in his answer) in your /etc/sudoers file:

tom ALL = NOPASSWD: ALL 

If you want however the usual way of having a password request for sudo command you should leave the /etc/sudoers file alone and simply add the user to the 'sudo' group. Then you only have to change /etc/ssh/sshd_config accordingly to not allow password logins.

Usually Ubuntu is set up that way that a usual user should be in some essential groups. You can check in which groups your main user is in by typing groups in terminal.

This is what it shows for me but your output might differ from that:

$ groups <users-own-group> adm cdrom sudo dip plugdev lpadmin sambashare 

A normal user which should not have extensive permissions should be at least in cdrom, plugdev, lpadmin. But since you're creating a sudo user (at least it appears to me you want that) you should add your user to the groups accordingly. You can concatenate groups in the above mentioned command by using , to separate them. However groups like sambashare might not be needed if you not have samba installed.

usermod -aG <group1>, <group2> <username>