Password necessary in face of sudo

bowei · April 18, 2017, 12:44pm

Hi all,

I have logged in successfully via ssh to raspi3 with openhabian as openhabian@openHABianPi.
Afterwards I want to start a pythonscript with 2 parameters like:

openhabian@openHABianPi:~/scripts$ sudo shutter.py 5 100

But openhabian is asking for the password:

[sudo] password for openhabian:

Only when I supply the password “openhabian” (it is the default password, which I using via ssh)
the script started and is working fine.
When I started the script again, e.g. 1 minute later, no password is necessary.

Is there any solution to skirt the extra inserting of password after starting the script for the first time?

Thanks a lot,
Rolf

hmerk · April 18, 2017, 12:58pm

This is default behaviour for sudo, not openhabian related.

Enter

sudo visudo

in your ssh session

Add the following line at the end of your file:

openhabian ALL=NOPASSWD: ALL

Save and close sudoers file
You now should (might be after a reboot) be able to use sudo without being asked for entering a password.

bowei · April 18, 2017, 2:34pm

Hi Hans-Jörg,

thanks for your response, but it’s not working like expect.
I have added the following row via sudo visudo and rebooted the system again,
but it’s still necessary to put in the pw for openhabian.

User privilege specification

root ALL=(ALL:ALL) ALL
openhabian ALL=(ALL) NOPASSWD: ALL

Allow members of group sudo to execute any command

%sudo ALL=(ALL:ALL) ALL

Best Regards
Rolf

hmerk · April 18, 2017, 4:50pm

The entry is wrong, just checked it on one of my machines.

openhabian ALL=NOPASSWD: ALL

is the correct line. Sorry for my mistake. I corrected my first answer.

bowei · April 18, 2017, 9:08pm

Hi Hans-Jörg,

I have corrected the entry in:

openhabian ALL=NOPASSWD: ALL

But the behavior is the same, openhabian is asking for a pw.

hmerk · April 18, 2017, 10:08pm

Strange and I am running out of clues, as this is working on several machines running in my environment.

Udo_Hartmann · April 19, 2017, 11:13am

If openhabian is member of the group sudo, the policy would be overridden by the group policy, as this is defined after users. In fact, it is not a good idea to allow the user to execute all commands without password, it’s better to set this per command, and it’s better not to touch /etc/sudoers att all. Please take a look at /etc/sudouers, if there is a line at the bottom of the file

#includedir /etc/sudoers.d

The number sign is necessary here, this is no comment! If this line exists, you can use the directory to expand sudoers policies:

sudo touch /etc/sudoers.d/nopasswordneeded
sudo chmod 440 /etc/sudoers.d/nopasswordneeded
sudo visudo -f /etc/sudoers.d/nopasswordneeded

now type:

openhabian openHABianPi = (root) NOPASSWD: /usr/bin/python /home/openhabian/scripts/shutter.py 5 100

as this is the correct term:

openhabian is the user name, the line fits to
openHABianPi is the host, the line fits to, so you can limit, from which machine the user can operate.
(root) is the user, which can be used to execute the command (otherwise you could use sudo -u anyuser to execute a command as another user, not only root)
/usr/bin/python you have to expose the complete path to the command
/home/openhabian/scripts/shutter.py I’m quite sure you will have to expose the full path to the script file either
5 100 of course, you don’t need to expose the parameters, but it’s possible to do it

bowei · April 29, 2017, 7:50pm

Hi Udo,

sorry for my late response, due to vacation.
Thanks a lot for your extensive comments
It’s working fine now without any pw prompt.

Best wishes
Rolf