GCP - sudo works in GoogleCloudShell but not when I ssh into vm












0















I created a brand new Google Compute Engine VM (Debian 9) and opened a shell to it using the GoogleCloud shell. I can sudo from that browser shell window.



I then setup my ssh-keys and ssh into the vm. For the sake of discussion, my username is "user123". I ssh into my GCP vm using:



ssh user123@1.2.3.4



Where 1.2.3.4 is my GCP external IP address. I'm then logged in.



So as user user123 in GoogleCloudShell sudo works, but when logged in via ssh as user123, I'm prompted for a password.



We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.

[sudo] password for user123:


Naturally, I don't want or need to setup a password, I need to get sudo to allow this user123 user account to sudo. But it works when logged into GoogleCloudShell.... Hum... I'll track it down but that is my question.



NOTE: Since I have root in my GoogleCloudShell (via sudo), I should be able to find what I need to do and fix this.



What is the next step I need to take in order to allow sudo to work when logged in via ssh?










share|improve this question























  • I'm not sure what happened, but I setup another VM and things worked just fine. I can sudo after I ssh into the vm using ssh user123@gcp-host as well as from the GoogleCloudShell. I might delete this question if no one finds it useful.

    – PatS
    Jan 30 at 4:18













  • Hum... The plot thickens. Something wacked my ~/.ssh/authorized_keys file and when I re-created it. I can't sudo when I ssh into the GCP vm. I must be doing something the wrong way (a way that GCP doesn't like).

    – PatS
    Jan 30 at 4:24













  • I closed my GoogleCloudShell and re-opened it. When I did that the GCP environment added two GCP ssh keys (to support the GoogleCloudShell, I'm guessing). When those keys exist, I can sudo when logged in from ssh.

    – PatS
    Jan 30 at 4:27
















0















I created a brand new Google Compute Engine VM (Debian 9) and opened a shell to it using the GoogleCloud shell. I can sudo from that browser shell window.



I then setup my ssh-keys and ssh into the vm. For the sake of discussion, my username is "user123". I ssh into my GCP vm using:



ssh user123@1.2.3.4



Where 1.2.3.4 is my GCP external IP address. I'm then logged in.



So as user user123 in GoogleCloudShell sudo works, but when logged in via ssh as user123, I'm prompted for a password.



We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.

[sudo] password for user123:


Naturally, I don't want or need to setup a password, I need to get sudo to allow this user123 user account to sudo. But it works when logged into GoogleCloudShell.... Hum... I'll track it down but that is my question.



NOTE: Since I have root in my GoogleCloudShell (via sudo), I should be able to find what I need to do and fix this.



What is the next step I need to take in order to allow sudo to work when logged in via ssh?










share|improve this question























  • I'm not sure what happened, but I setup another VM and things worked just fine. I can sudo after I ssh into the vm using ssh user123@gcp-host as well as from the GoogleCloudShell. I might delete this question if no one finds it useful.

    – PatS
    Jan 30 at 4:18













  • Hum... The plot thickens. Something wacked my ~/.ssh/authorized_keys file and when I re-created it. I can't sudo when I ssh into the GCP vm. I must be doing something the wrong way (a way that GCP doesn't like).

    – PatS
    Jan 30 at 4:24













  • I closed my GoogleCloudShell and re-opened it. When I did that the GCP environment added two GCP ssh keys (to support the GoogleCloudShell, I'm guessing). When those keys exist, I can sudo when logged in from ssh.

    – PatS
    Jan 30 at 4:27














0












0








0








I created a brand new Google Compute Engine VM (Debian 9) and opened a shell to it using the GoogleCloud shell. I can sudo from that browser shell window.



I then setup my ssh-keys and ssh into the vm. For the sake of discussion, my username is "user123". I ssh into my GCP vm using:



ssh user123@1.2.3.4



Where 1.2.3.4 is my GCP external IP address. I'm then logged in.



So as user user123 in GoogleCloudShell sudo works, but when logged in via ssh as user123, I'm prompted for a password.



We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.

[sudo] password for user123:


Naturally, I don't want or need to setup a password, I need to get sudo to allow this user123 user account to sudo. But it works when logged into GoogleCloudShell.... Hum... I'll track it down but that is my question.



NOTE: Since I have root in my GoogleCloudShell (via sudo), I should be able to find what I need to do and fix this.



What is the next step I need to take in order to allow sudo to work when logged in via ssh?










share|improve this question














I created a brand new Google Compute Engine VM (Debian 9) and opened a shell to it using the GoogleCloud shell. I can sudo from that browser shell window.



I then setup my ssh-keys and ssh into the vm. For the sake of discussion, my username is "user123". I ssh into my GCP vm using:



ssh user123@1.2.3.4



Where 1.2.3.4 is my GCP external IP address. I'm then logged in.



So as user user123 in GoogleCloudShell sudo works, but when logged in via ssh as user123, I'm prompted for a password.



We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.

[sudo] password for user123:


Naturally, I don't want or need to setup a password, I need to get sudo to allow this user123 user account to sudo. But it works when logged into GoogleCloudShell.... Hum... I'll track it down but that is my question.



NOTE: Since I have root in my GoogleCloudShell (via sudo), I should be able to find what I need to do and fix this.



What is the next step I need to take in order to allow sudo to work when logged in via ssh?







ssh google-cloud-platform






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Jan 30 at 4:03









PatSPatS

1177




1177













  • I'm not sure what happened, but I setup another VM and things worked just fine. I can sudo after I ssh into the vm using ssh user123@gcp-host as well as from the GoogleCloudShell. I might delete this question if no one finds it useful.

    – PatS
    Jan 30 at 4:18













  • Hum... The plot thickens. Something wacked my ~/.ssh/authorized_keys file and when I re-created it. I can't sudo when I ssh into the GCP vm. I must be doing something the wrong way (a way that GCP doesn't like).

    – PatS
    Jan 30 at 4:24













  • I closed my GoogleCloudShell and re-opened it. When I did that the GCP environment added two GCP ssh keys (to support the GoogleCloudShell, I'm guessing). When those keys exist, I can sudo when logged in from ssh.

    – PatS
    Jan 30 at 4:27



















  • I'm not sure what happened, but I setup another VM and things worked just fine. I can sudo after I ssh into the vm using ssh user123@gcp-host as well as from the GoogleCloudShell. I might delete this question if no one finds it useful.

    – PatS
    Jan 30 at 4:18













  • Hum... The plot thickens. Something wacked my ~/.ssh/authorized_keys file and when I re-created it. I can't sudo when I ssh into the GCP vm. I must be doing something the wrong way (a way that GCP doesn't like).

    – PatS
    Jan 30 at 4:24













  • I closed my GoogleCloudShell and re-opened it. When I did that the GCP environment added two GCP ssh keys (to support the GoogleCloudShell, I'm guessing). When those keys exist, I can sudo when logged in from ssh.

    – PatS
    Jan 30 at 4:27

















I'm not sure what happened, but I setup another VM and things worked just fine. I can sudo after I ssh into the vm using ssh user123@gcp-host as well as from the GoogleCloudShell. I might delete this question if no one finds it useful.

– PatS
Jan 30 at 4:18







I'm not sure what happened, but I setup another VM and things worked just fine. I can sudo after I ssh into the vm using ssh user123@gcp-host as well as from the GoogleCloudShell. I might delete this question if no one finds it useful.

– PatS
Jan 30 at 4:18















Hum... The plot thickens. Something wacked my ~/.ssh/authorized_keys file and when I re-created it. I can't sudo when I ssh into the GCP vm. I must be doing something the wrong way (a way that GCP doesn't like).

– PatS
Jan 30 at 4:24







Hum... The plot thickens. Something wacked my ~/.ssh/authorized_keys file and when I re-created it. I can't sudo when I ssh into the GCP vm. I must be doing something the wrong way (a way that GCP doesn't like).

– PatS
Jan 30 at 4:24















I closed my GoogleCloudShell and re-opened it. When I did that the GCP environment added two GCP ssh keys (to support the GoogleCloudShell, I'm guessing). When those keys exist, I can sudo when logged in from ssh.

– PatS
Jan 30 at 4:27





I closed my GoogleCloudShell and re-opened it. When I did that the GCP environment added two GCP ssh keys (to support the GoogleCloudShell, I'm guessing). When those keys exist, I can sudo when logged in from ssh.

– PatS
Jan 30 at 4:27










2 Answers
2






active

oldest

votes


















1














I'll give you 2 answers.



First, cloud shell is managing instance metadata for you behind the scenes, and allows passwordless sudo for all users added to the project this way. Use google to set up your user



https://cloud.google.com/compute/docs/instances/adding-removing-ssh-keys
https://cloud.google.com/compute/docs/instances/managing-instance-access



Add the user account you want through the project console. This will propagate that user to all hosts in your project.



Secondly, what you want is to set up passwordless sudo. You can (using visudo) edit /etc/sudoers or create a new file under /etc/sudoers.d and add a line like this:



user123       ALL = (ALL) NOPASSWD: ALL


you can see that google is doing it by group membership in the google-sudoers group



timmy@instance-1:~$ sudo cat /etc/sudoers.d/google_sudoers 
%google-sudoers ALL=(ALL:ALL) NOPASSWD:ALL
timmy@instance-1:~$ id
uid=1000(timmy) gid=1001(timmy) groups=1001(timmy),4(adm),30(dip),44(video),46(plugdev),1000(google-sudoers)





share|improve this answer































    0














    After creating a GCP compute engine you don't need to do anything special to get sudo to work from ssh. You obviously need to use the GCP console and add your keys as @TimmyBrowne mentions in his post. See https://cloud.google.com/compute/docs/instances/adding-removing-ssh-keys.



    After your ssh public key is entered into the GCP Compute Engine instance, you can ssh into your instance. But you need to use the correct username.



    For example, if my GCP username is fredsmith, and my GCP external IP is 5.6.7.8, then my ssh command would look like this:



    ssh fredsmith@5.6.7.8



    And obviously, your private ssh key needs to match the public key you put into the ssh meta-data for your instance.



    After logging in, you can run sudo and it works because GCP has already setup this instance with your credentials (fredsmith) and has put you (fredsmith) into the groups needed so that sudo works which for GCP seems to be google-sudoers.



    If you want to create another user and allow that user to have sudo privileges, then see @TimmyBrowne answer as he describes this.



    I'm still not positive why I was having inconsistent results whereby sometimes I could sudo and other times I couldn't because my authorized_keys file got removed, but I don't have enough information to pursue this any further.



    Since Timmy Browne did answer my question as he understood it, and it seems correct. I'm going to give him credit for this answer, but wanted to post my answer so that if others see this same behavior they can upvote this answer and hopefully we can track it down.






    share|improve this answer
























      Your Answer








      StackExchange.ready(function() {
      var channelOptions = {
      tags: "".split(" "),
      id: "3"
      };
      initTagRenderer("".split(" "), "".split(" "), channelOptions);

      StackExchange.using("externalEditor", function() {
      // Have to fire editor after snippets, if snippets enabled
      if (StackExchange.settings.snippets.snippetsEnabled) {
      StackExchange.using("snippets", function() {
      createEditor();
      });
      }
      else {
      createEditor();
      }
      });

      function createEditor() {
      StackExchange.prepareEditor({
      heartbeatType: 'answer',
      autoActivateHeartbeat: false,
      convertImagesToLinks: true,
      noModals: true,
      showLowRepImageUploadWarning: true,
      reputationToPostImages: 10,
      bindNavPrevention: true,
      postfix: "",
      imageUploader: {
      brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
      contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
      allowUrls: true
      },
      onDemand: true,
      discardSelector: ".discard-answer"
      ,immediatelyShowMarkdownHelp:true
      });


      }
      });














      draft saved

      draft discarded


















      StackExchange.ready(
      function () {
      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1399934%2fgcp-sudo-works-in-googlecloudshell-but-not-when-i-ssh-into-vm%23new-answer', 'question_page');
      }
      );

      Post as a guest















      Required, but never shown

























      2 Answers
      2






      active

      oldest

      votes








      2 Answers
      2






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes









      1














      I'll give you 2 answers.



      First, cloud shell is managing instance metadata for you behind the scenes, and allows passwordless sudo for all users added to the project this way. Use google to set up your user



      https://cloud.google.com/compute/docs/instances/adding-removing-ssh-keys
      https://cloud.google.com/compute/docs/instances/managing-instance-access



      Add the user account you want through the project console. This will propagate that user to all hosts in your project.



      Secondly, what you want is to set up passwordless sudo. You can (using visudo) edit /etc/sudoers or create a new file under /etc/sudoers.d and add a line like this:



      user123       ALL = (ALL) NOPASSWD: ALL


      you can see that google is doing it by group membership in the google-sudoers group



      timmy@instance-1:~$ sudo cat /etc/sudoers.d/google_sudoers 
      %google-sudoers ALL=(ALL:ALL) NOPASSWD:ALL
      timmy@instance-1:~$ id
      uid=1000(timmy) gid=1001(timmy) groups=1001(timmy),4(adm),30(dip),44(video),46(plugdev),1000(google-sudoers)





      share|improve this answer




























        1














        I'll give you 2 answers.



        First, cloud shell is managing instance metadata for you behind the scenes, and allows passwordless sudo for all users added to the project this way. Use google to set up your user



        https://cloud.google.com/compute/docs/instances/adding-removing-ssh-keys
        https://cloud.google.com/compute/docs/instances/managing-instance-access



        Add the user account you want through the project console. This will propagate that user to all hosts in your project.



        Secondly, what you want is to set up passwordless sudo. You can (using visudo) edit /etc/sudoers or create a new file under /etc/sudoers.d and add a line like this:



        user123       ALL = (ALL) NOPASSWD: ALL


        you can see that google is doing it by group membership in the google-sudoers group



        timmy@instance-1:~$ sudo cat /etc/sudoers.d/google_sudoers 
        %google-sudoers ALL=(ALL:ALL) NOPASSWD:ALL
        timmy@instance-1:~$ id
        uid=1000(timmy) gid=1001(timmy) groups=1001(timmy),4(adm),30(dip),44(video),46(plugdev),1000(google-sudoers)





        share|improve this answer


























          1












          1








          1







          I'll give you 2 answers.



          First, cloud shell is managing instance metadata for you behind the scenes, and allows passwordless sudo for all users added to the project this way. Use google to set up your user



          https://cloud.google.com/compute/docs/instances/adding-removing-ssh-keys
          https://cloud.google.com/compute/docs/instances/managing-instance-access



          Add the user account you want through the project console. This will propagate that user to all hosts in your project.



          Secondly, what you want is to set up passwordless sudo. You can (using visudo) edit /etc/sudoers or create a new file under /etc/sudoers.d and add a line like this:



          user123       ALL = (ALL) NOPASSWD: ALL


          you can see that google is doing it by group membership in the google-sudoers group



          timmy@instance-1:~$ sudo cat /etc/sudoers.d/google_sudoers 
          %google-sudoers ALL=(ALL:ALL) NOPASSWD:ALL
          timmy@instance-1:~$ id
          uid=1000(timmy) gid=1001(timmy) groups=1001(timmy),4(adm),30(dip),44(video),46(plugdev),1000(google-sudoers)





          share|improve this answer













          I'll give you 2 answers.



          First, cloud shell is managing instance metadata for you behind the scenes, and allows passwordless sudo for all users added to the project this way. Use google to set up your user



          https://cloud.google.com/compute/docs/instances/adding-removing-ssh-keys
          https://cloud.google.com/compute/docs/instances/managing-instance-access



          Add the user account you want through the project console. This will propagate that user to all hosts in your project.



          Secondly, what you want is to set up passwordless sudo. You can (using visudo) edit /etc/sudoers or create a new file under /etc/sudoers.d and add a line like this:



          user123       ALL = (ALL) NOPASSWD: ALL


          you can see that google is doing it by group membership in the google-sudoers group



          timmy@instance-1:~$ sudo cat /etc/sudoers.d/google_sudoers 
          %google-sudoers ALL=(ALL:ALL) NOPASSWD:ALL
          timmy@instance-1:~$ id
          uid=1000(timmy) gid=1001(timmy) groups=1001(timmy),4(adm),30(dip),44(video),46(plugdev),1000(google-sudoers)






          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Jan 30 at 21:32









          Timmy BrowneTimmy Browne

          3909




          3909

























              0














              After creating a GCP compute engine you don't need to do anything special to get sudo to work from ssh. You obviously need to use the GCP console and add your keys as @TimmyBrowne mentions in his post. See https://cloud.google.com/compute/docs/instances/adding-removing-ssh-keys.



              After your ssh public key is entered into the GCP Compute Engine instance, you can ssh into your instance. But you need to use the correct username.



              For example, if my GCP username is fredsmith, and my GCP external IP is 5.6.7.8, then my ssh command would look like this:



              ssh fredsmith@5.6.7.8



              And obviously, your private ssh key needs to match the public key you put into the ssh meta-data for your instance.



              After logging in, you can run sudo and it works because GCP has already setup this instance with your credentials (fredsmith) and has put you (fredsmith) into the groups needed so that sudo works which for GCP seems to be google-sudoers.



              If you want to create another user and allow that user to have sudo privileges, then see @TimmyBrowne answer as he describes this.



              I'm still not positive why I was having inconsistent results whereby sometimes I could sudo and other times I couldn't because my authorized_keys file got removed, but I don't have enough information to pursue this any further.



              Since Timmy Browne did answer my question as he understood it, and it seems correct. I'm going to give him credit for this answer, but wanted to post my answer so that if others see this same behavior they can upvote this answer and hopefully we can track it down.






              share|improve this answer




























                0














                After creating a GCP compute engine you don't need to do anything special to get sudo to work from ssh. You obviously need to use the GCP console and add your keys as @TimmyBrowne mentions in his post. See https://cloud.google.com/compute/docs/instances/adding-removing-ssh-keys.



                After your ssh public key is entered into the GCP Compute Engine instance, you can ssh into your instance. But you need to use the correct username.



                For example, if my GCP username is fredsmith, and my GCP external IP is 5.6.7.8, then my ssh command would look like this:



                ssh fredsmith@5.6.7.8



                And obviously, your private ssh key needs to match the public key you put into the ssh meta-data for your instance.



                After logging in, you can run sudo and it works because GCP has already setup this instance with your credentials (fredsmith) and has put you (fredsmith) into the groups needed so that sudo works which for GCP seems to be google-sudoers.



                If you want to create another user and allow that user to have sudo privileges, then see @TimmyBrowne answer as he describes this.



                I'm still not positive why I was having inconsistent results whereby sometimes I could sudo and other times I couldn't because my authorized_keys file got removed, but I don't have enough information to pursue this any further.



                Since Timmy Browne did answer my question as he understood it, and it seems correct. I'm going to give him credit for this answer, but wanted to post my answer so that if others see this same behavior they can upvote this answer and hopefully we can track it down.






                share|improve this answer


























                  0












                  0








                  0







                  After creating a GCP compute engine you don't need to do anything special to get sudo to work from ssh. You obviously need to use the GCP console and add your keys as @TimmyBrowne mentions in his post. See https://cloud.google.com/compute/docs/instances/adding-removing-ssh-keys.



                  After your ssh public key is entered into the GCP Compute Engine instance, you can ssh into your instance. But you need to use the correct username.



                  For example, if my GCP username is fredsmith, and my GCP external IP is 5.6.7.8, then my ssh command would look like this:



                  ssh fredsmith@5.6.7.8



                  And obviously, your private ssh key needs to match the public key you put into the ssh meta-data for your instance.



                  After logging in, you can run sudo and it works because GCP has already setup this instance with your credentials (fredsmith) and has put you (fredsmith) into the groups needed so that sudo works which for GCP seems to be google-sudoers.



                  If you want to create another user and allow that user to have sudo privileges, then see @TimmyBrowne answer as he describes this.



                  I'm still not positive why I was having inconsistent results whereby sometimes I could sudo and other times I couldn't because my authorized_keys file got removed, but I don't have enough information to pursue this any further.



                  Since Timmy Browne did answer my question as he understood it, and it seems correct. I'm going to give him credit for this answer, but wanted to post my answer so that if others see this same behavior they can upvote this answer and hopefully we can track it down.






                  share|improve this answer













                  After creating a GCP compute engine you don't need to do anything special to get sudo to work from ssh. You obviously need to use the GCP console and add your keys as @TimmyBrowne mentions in his post. See https://cloud.google.com/compute/docs/instances/adding-removing-ssh-keys.



                  After your ssh public key is entered into the GCP Compute Engine instance, you can ssh into your instance. But you need to use the correct username.



                  For example, if my GCP username is fredsmith, and my GCP external IP is 5.6.7.8, then my ssh command would look like this:



                  ssh fredsmith@5.6.7.8



                  And obviously, your private ssh key needs to match the public key you put into the ssh meta-data for your instance.



                  After logging in, you can run sudo and it works because GCP has already setup this instance with your credentials (fredsmith) and has put you (fredsmith) into the groups needed so that sudo works which for GCP seems to be google-sudoers.



                  If you want to create another user and allow that user to have sudo privileges, then see @TimmyBrowne answer as he describes this.



                  I'm still not positive why I was having inconsistent results whereby sometimes I could sudo and other times I couldn't because my authorized_keys file got removed, but I don't have enough information to pursue this any further.



                  Since Timmy Browne did answer my question as he understood it, and it seems correct. I'm going to give him credit for this answer, but wanted to post my answer so that if others see this same behavior they can upvote this answer and hopefully we can track it down.







                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered Feb 1 at 21:47









                  PatSPatS

                  1177




                  1177






























                      draft saved

                      draft discarded




















































                      Thanks for contributing an answer to Super User!


                      • Please be sure to answer the question. Provide details and share your research!

                      But avoid



                      • Asking for help, clarification, or responding to other answers.

                      • Making statements based on opinion; back them up with references or personal experience.


                      To learn more, see our tips on writing great answers.




                      draft saved


                      draft discarded














                      StackExchange.ready(
                      function () {
                      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1399934%2fgcp-sudo-works-in-googlecloudshell-but-not-when-i-ssh-into-vm%23new-answer', 'question_page');
                      }
                      );

                      Post as a guest















                      Required, but never shown





















































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown

































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown







                      Popular posts from this blog

                      Plaza Victoria

                      Puebla de Zaragoza

                      Musa