GCP - sudo works in GoogleCloudShell but not when I ssh into vm
I created a brand new Google Compute Engine VM (Debian 9) and opened a shell to it using the GoogleCloud shell. I can sudo
from that browser shell window.
I then setup my ssh-keys and ssh into the vm. For the sake of discussion, my username is "user123". I ssh into my GCP vm using:
ssh user123@1.2.3.4
Where 1.2.3.4 is my GCP external IP address. I'm then logged in.
So as user user123
in GoogleCloudShell sudo
works, but when logged in via ssh as user123
, I'm prompted for a password.
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for user123:
Naturally, I don't want or need to setup a password, I need to get sudo to allow this user123
user account to sudo. But it works when logged into GoogleCloudShell.... Hum... I'll track it down but that is my question.
NOTE: Since I have root in my GoogleCloudShell (via sudo), I should be able to find what I need to do and fix this.
What is the next step I need to take in order to allow sudo to work when logged in via ssh?
ssh google-cloud-platform
add a comment |
I created a brand new Google Compute Engine VM (Debian 9) and opened a shell to it using the GoogleCloud shell. I can sudo
from that browser shell window.
I then setup my ssh-keys and ssh into the vm. For the sake of discussion, my username is "user123". I ssh into my GCP vm using:
ssh user123@1.2.3.4
Where 1.2.3.4 is my GCP external IP address. I'm then logged in.
So as user user123
in GoogleCloudShell sudo
works, but when logged in via ssh as user123
, I'm prompted for a password.
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for user123:
Naturally, I don't want or need to setup a password, I need to get sudo to allow this user123
user account to sudo. But it works when logged into GoogleCloudShell.... Hum... I'll track it down but that is my question.
NOTE: Since I have root in my GoogleCloudShell (via sudo), I should be able to find what I need to do and fix this.
What is the next step I need to take in order to allow sudo to work when logged in via ssh?
ssh google-cloud-platform
I'm not sure what happened, but I setup another VM and things worked just fine. I cansudo
after I ssh into the vm using ssh user123@gcp-host as well as from the GoogleCloudShell. I might delete this question if no one finds it useful.
– PatS
Jan 30 at 4:18
Hum... The plot thickens. Something wacked my ~/.ssh/authorized_keys file and when I re-created it. I can't sudo when I ssh into the GCP vm. I must be doing something the wrong way (a way that GCP doesn't like).
– PatS
Jan 30 at 4:24
I closed my GoogleCloudShell and re-opened it. When I did that the GCP environment added two GCP ssh keys (to support the GoogleCloudShell, I'm guessing). When those keys exist, I cansudo
when logged in from ssh.
– PatS
Jan 30 at 4:27
add a comment |
I created a brand new Google Compute Engine VM (Debian 9) and opened a shell to it using the GoogleCloud shell. I can sudo
from that browser shell window.
I then setup my ssh-keys and ssh into the vm. For the sake of discussion, my username is "user123". I ssh into my GCP vm using:
ssh user123@1.2.3.4
Where 1.2.3.4 is my GCP external IP address. I'm then logged in.
So as user user123
in GoogleCloudShell sudo
works, but when logged in via ssh as user123
, I'm prompted for a password.
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for user123:
Naturally, I don't want or need to setup a password, I need to get sudo to allow this user123
user account to sudo. But it works when logged into GoogleCloudShell.... Hum... I'll track it down but that is my question.
NOTE: Since I have root in my GoogleCloudShell (via sudo), I should be able to find what I need to do and fix this.
What is the next step I need to take in order to allow sudo to work when logged in via ssh?
ssh google-cloud-platform
I created a brand new Google Compute Engine VM (Debian 9) and opened a shell to it using the GoogleCloud shell. I can sudo
from that browser shell window.
I then setup my ssh-keys and ssh into the vm. For the sake of discussion, my username is "user123". I ssh into my GCP vm using:
ssh user123@1.2.3.4
Where 1.2.3.4 is my GCP external IP address. I'm then logged in.
So as user user123
in GoogleCloudShell sudo
works, but when logged in via ssh as user123
, I'm prompted for a password.
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for user123:
Naturally, I don't want or need to setup a password, I need to get sudo to allow this user123
user account to sudo. But it works when logged into GoogleCloudShell.... Hum... I'll track it down but that is my question.
NOTE: Since I have root in my GoogleCloudShell (via sudo), I should be able to find what I need to do and fix this.
What is the next step I need to take in order to allow sudo to work when logged in via ssh?
ssh google-cloud-platform
ssh google-cloud-platform
asked Jan 30 at 4:03
PatSPatS
1177
1177
I'm not sure what happened, but I setup another VM and things worked just fine. I cansudo
after I ssh into the vm using ssh user123@gcp-host as well as from the GoogleCloudShell. I might delete this question if no one finds it useful.
– PatS
Jan 30 at 4:18
Hum... The plot thickens. Something wacked my ~/.ssh/authorized_keys file and when I re-created it. I can't sudo when I ssh into the GCP vm. I must be doing something the wrong way (a way that GCP doesn't like).
– PatS
Jan 30 at 4:24
I closed my GoogleCloudShell and re-opened it. When I did that the GCP environment added two GCP ssh keys (to support the GoogleCloudShell, I'm guessing). When those keys exist, I cansudo
when logged in from ssh.
– PatS
Jan 30 at 4:27
add a comment |
I'm not sure what happened, but I setup another VM and things worked just fine. I cansudo
after I ssh into the vm using ssh user123@gcp-host as well as from the GoogleCloudShell. I might delete this question if no one finds it useful.
– PatS
Jan 30 at 4:18
Hum... The plot thickens. Something wacked my ~/.ssh/authorized_keys file and when I re-created it. I can't sudo when I ssh into the GCP vm. I must be doing something the wrong way (a way that GCP doesn't like).
– PatS
Jan 30 at 4:24
I closed my GoogleCloudShell and re-opened it. When I did that the GCP environment added two GCP ssh keys (to support the GoogleCloudShell, I'm guessing). When those keys exist, I cansudo
when logged in from ssh.
– PatS
Jan 30 at 4:27
I'm not sure what happened, but I setup another VM and things worked just fine. I can
sudo
after I ssh into the vm using ssh user123@gcp-host as well as from the GoogleCloudShell. I might delete this question if no one finds it useful.– PatS
Jan 30 at 4:18
I'm not sure what happened, but I setup another VM and things worked just fine. I can
sudo
after I ssh into the vm using ssh user123@gcp-host as well as from the GoogleCloudShell. I might delete this question if no one finds it useful.– PatS
Jan 30 at 4:18
Hum... The plot thickens. Something wacked my ~/.ssh/authorized_keys file and when I re-created it. I can't sudo when I ssh into the GCP vm. I must be doing something the wrong way (a way that GCP doesn't like).
– PatS
Jan 30 at 4:24
Hum... The plot thickens. Something wacked my ~/.ssh/authorized_keys file and when I re-created it. I can't sudo when I ssh into the GCP vm. I must be doing something the wrong way (a way that GCP doesn't like).
– PatS
Jan 30 at 4:24
I closed my GoogleCloudShell and re-opened it. When I did that the GCP environment added two GCP ssh keys (to support the GoogleCloudShell, I'm guessing). When those keys exist, I can
sudo
when logged in from ssh.– PatS
Jan 30 at 4:27
I closed my GoogleCloudShell and re-opened it. When I did that the GCP environment added two GCP ssh keys (to support the GoogleCloudShell, I'm guessing). When those keys exist, I can
sudo
when logged in from ssh.– PatS
Jan 30 at 4:27
add a comment |
2 Answers
2
active
oldest
votes
I'll give you 2 answers.
First, cloud shell is managing instance metadata for you behind the scenes, and allows passwordless sudo for all users added to the project this way. Use google to set up your user
https://cloud.google.com/compute/docs/instances/adding-removing-ssh-keys
https://cloud.google.com/compute/docs/instances/managing-instance-access
Add the user account you want through the project console. This will propagate that user to all hosts in your project.
Secondly, what you want is to set up passwordless sudo. You can (using visudo) edit /etc/sudoers or create a new file under /etc/sudoers.d and add a line like this:
user123 ALL = (ALL) NOPASSWD: ALL
you can see that google is doing it by group membership in the google-sudoers group
timmy@instance-1:~$ sudo cat /etc/sudoers.d/google_sudoers
%google-sudoers ALL=(ALL:ALL) NOPASSWD:ALL
timmy@instance-1:~$ id
uid=1000(timmy) gid=1001(timmy) groups=1001(timmy),4(adm),30(dip),44(video),46(plugdev),1000(google-sudoers)
add a comment |
After creating a GCP compute engine you don't need to do anything special to get sudo to work from ssh. You obviously need to use the GCP console and add your keys as @TimmyBrowne mentions in his post. See https://cloud.google.com/compute/docs/instances/adding-removing-ssh-keys.
After your ssh public key is entered into the GCP Compute Engine instance, you can ssh into your instance. But you need to use the correct username.
For example, if my GCP username is fredsmith, and my GCP external IP is 5.6.7.8, then my ssh command would look like this:
ssh fredsmith@5.6.7.8
And obviously, your private ssh key needs to match the public key you put into the ssh meta-data for your instance.
After logging in, you can run sudo and it works because GCP has already setup this instance with your credentials (fredsmith) and has put you (fredsmith) into the groups needed so that sudo works which for GCP seems to be google-sudoers.
If you want to create another user and allow that user to have sudo privileges, then see @TimmyBrowne answer as he describes this.
I'm still not positive why I was having inconsistent results whereby sometimes I could sudo and other times I couldn't because my authorized_keys file got removed, but I don't have enough information to pursue this any further.
Since Timmy Browne did answer my question as he understood it, and it seems correct. I'm going to give him credit for this answer, but wanted to post my answer so that if others see this same behavior they can upvote this answer and hopefully we can track it down.
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1399934%2fgcp-sudo-works-in-googlecloudshell-but-not-when-i-ssh-into-vm%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
I'll give you 2 answers.
First, cloud shell is managing instance metadata for you behind the scenes, and allows passwordless sudo for all users added to the project this way. Use google to set up your user
https://cloud.google.com/compute/docs/instances/adding-removing-ssh-keys
https://cloud.google.com/compute/docs/instances/managing-instance-access
Add the user account you want through the project console. This will propagate that user to all hosts in your project.
Secondly, what you want is to set up passwordless sudo. You can (using visudo) edit /etc/sudoers or create a new file under /etc/sudoers.d and add a line like this:
user123 ALL = (ALL) NOPASSWD: ALL
you can see that google is doing it by group membership in the google-sudoers group
timmy@instance-1:~$ sudo cat /etc/sudoers.d/google_sudoers
%google-sudoers ALL=(ALL:ALL) NOPASSWD:ALL
timmy@instance-1:~$ id
uid=1000(timmy) gid=1001(timmy) groups=1001(timmy),4(adm),30(dip),44(video),46(plugdev),1000(google-sudoers)
add a comment |
I'll give you 2 answers.
First, cloud shell is managing instance metadata for you behind the scenes, and allows passwordless sudo for all users added to the project this way. Use google to set up your user
https://cloud.google.com/compute/docs/instances/adding-removing-ssh-keys
https://cloud.google.com/compute/docs/instances/managing-instance-access
Add the user account you want through the project console. This will propagate that user to all hosts in your project.
Secondly, what you want is to set up passwordless sudo. You can (using visudo) edit /etc/sudoers or create a new file under /etc/sudoers.d and add a line like this:
user123 ALL = (ALL) NOPASSWD: ALL
you can see that google is doing it by group membership in the google-sudoers group
timmy@instance-1:~$ sudo cat /etc/sudoers.d/google_sudoers
%google-sudoers ALL=(ALL:ALL) NOPASSWD:ALL
timmy@instance-1:~$ id
uid=1000(timmy) gid=1001(timmy) groups=1001(timmy),4(adm),30(dip),44(video),46(plugdev),1000(google-sudoers)
add a comment |
I'll give you 2 answers.
First, cloud shell is managing instance metadata for you behind the scenes, and allows passwordless sudo for all users added to the project this way. Use google to set up your user
https://cloud.google.com/compute/docs/instances/adding-removing-ssh-keys
https://cloud.google.com/compute/docs/instances/managing-instance-access
Add the user account you want through the project console. This will propagate that user to all hosts in your project.
Secondly, what you want is to set up passwordless sudo. You can (using visudo) edit /etc/sudoers or create a new file under /etc/sudoers.d and add a line like this:
user123 ALL = (ALL) NOPASSWD: ALL
you can see that google is doing it by group membership in the google-sudoers group
timmy@instance-1:~$ sudo cat /etc/sudoers.d/google_sudoers
%google-sudoers ALL=(ALL:ALL) NOPASSWD:ALL
timmy@instance-1:~$ id
uid=1000(timmy) gid=1001(timmy) groups=1001(timmy),4(adm),30(dip),44(video),46(plugdev),1000(google-sudoers)
I'll give you 2 answers.
First, cloud shell is managing instance metadata for you behind the scenes, and allows passwordless sudo for all users added to the project this way. Use google to set up your user
https://cloud.google.com/compute/docs/instances/adding-removing-ssh-keys
https://cloud.google.com/compute/docs/instances/managing-instance-access
Add the user account you want through the project console. This will propagate that user to all hosts in your project.
Secondly, what you want is to set up passwordless sudo. You can (using visudo) edit /etc/sudoers or create a new file under /etc/sudoers.d and add a line like this:
user123 ALL = (ALL) NOPASSWD: ALL
you can see that google is doing it by group membership in the google-sudoers group
timmy@instance-1:~$ sudo cat /etc/sudoers.d/google_sudoers
%google-sudoers ALL=(ALL:ALL) NOPASSWD:ALL
timmy@instance-1:~$ id
uid=1000(timmy) gid=1001(timmy) groups=1001(timmy),4(adm),30(dip),44(video),46(plugdev),1000(google-sudoers)
answered Jan 30 at 21:32
Timmy BrowneTimmy Browne
3909
3909
add a comment |
add a comment |
After creating a GCP compute engine you don't need to do anything special to get sudo to work from ssh. You obviously need to use the GCP console and add your keys as @TimmyBrowne mentions in his post. See https://cloud.google.com/compute/docs/instances/adding-removing-ssh-keys.
After your ssh public key is entered into the GCP Compute Engine instance, you can ssh into your instance. But you need to use the correct username.
For example, if my GCP username is fredsmith, and my GCP external IP is 5.6.7.8, then my ssh command would look like this:
ssh fredsmith@5.6.7.8
And obviously, your private ssh key needs to match the public key you put into the ssh meta-data for your instance.
After logging in, you can run sudo and it works because GCP has already setup this instance with your credentials (fredsmith) and has put you (fredsmith) into the groups needed so that sudo works which for GCP seems to be google-sudoers.
If you want to create another user and allow that user to have sudo privileges, then see @TimmyBrowne answer as he describes this.
I'm still not positive why I was having inconsistent results whereby sometimes I could sudo and other times I couldn't because my authorized_keys file got removed, but I don't have enough information to pursue this any further.
Since Timmy Browne did answer my question as he understood it, and it seems correct. I'm going to give him credit for this answer, but wanted to post my answer so that if others see this same behavior they can upvote this answer and hopefully we can track it down.
add a comment |
After creating a GCP compute engine you don't need to do anything special to get sudo to work from ssh. You obviously need to use the GCP console and add your keys as @TimmyBrowne mentions in his post. See https://cloud.google.com/compute/docs/instances/adding-removing-ssh-keys.
After your ssh public key is entered into the GCP Compute Engine instance, you can ssh into your instance. But you need to use the correct username.
For example, if my GCP username is fredsmith, and my GCP external IP is 5.6.7.8, then my ssh command would look like this:
ssh fredsmith@5.6.7.8
And obviously, your private ssh key needs to match the public key you put into the ssh meta-data for your instance.
After logging in, you can run sudo and it works because GCP has already setup this instance with your credentials (fredsmith) and has put you (fredsmith) into the groups needed so that sudo works which for GCP seems to be google-sudoers.
If you want to create another user and allow that user to have sudo privileges, then see @TimmyBrowne answer as he describes this.
I'm still not positive why I was having inconsistent results whereby sometimes I could sudo and other times I couldn't because my authorized_keys file got removed, but I don't have enough information to pursue this any further.
Since Timmy Browne did answer my question as he understood it, and it seems correct. I'm going to give him credit for this answer, but wanted to post my answer so that if others see this same behavior they can upvote this answer and hopefully we can track it down.
add a comment |
After creating a GCP compute engine you don't need to do anything special to get sudo to work from ssh. You obviously need to use the GCP console and add your keys as @TimmyBrowne mentions in his post. See https://cloud.google.com/compute/docs/instances/adding-removing-ssh-keys.
After your ssh public key is entered into the GCP Compute Engine instance, you can ssh into your instance. But you need to use the correct username.
For example, if my GCP username is fredsmith, and my GCP external IP is 5.6.7.8, then my ssh command would look like this:
ssh fredsmith@5.6.7.8
And obviously, your private ssh key needs to match the public key you put into the ssh meta-data for your instance.
After logging in, you can run sudo and it works because GCP has already setup this instance with your credentials (fredsmith) and has put you (fredsmith) into the groups needed so that sudo works which for GCP seems to be google-sudoers.
If you want to create another user and allow that user to have sudo privileges, then see @TimmyBrowne answer as he describes this.
I'm still not positive why I was having inconsistent results whereby sometimes I could sudo and other times I couldn't because my authorized_keys file got removed, but I don't have enough information to pursue this any further.
Since Timmy Browne did answer my question as he understood it, and it seems correct. I'm going to give him credit for this answer, but wanted to post my answer so that if others see this same behavior they can upvote this answer and hopefully we can track it down.
After creating a GCP compute engine you don't need to do anything special to get sudo to work from ssh. You obviously need to use the GCP console and add your keys as @TimmyBrowne mentions in his post. See https://cloud.google.com/compute/docs/instances/adding-removing-ssh-keys.
After your ssh public key is entered into the GCP Compute Engine instance, you can ssh into your instance. But you need to use the correct username.
For example, if my GCP username is fredsmith, and my GCP external IP is 5.6.7.8, then my ssh command would look like this:
ssh fredsmith@5.6.7.8
And obviously, your private ssh key needs to match the public key you put into the ssh meta-data for your instance.
After logging in, you can run sudo and it works because GCP has already setup this instance with your credentials (fredsmith) and has put you (fredsmith) into the groups needed so that sudo works which for GCP seems to be google-sudoers.
If you want to create another user and allow that user to have sudo privileges, then see @TimmyBrowne answer as he describes this.
I'm still not positive why I was having inconsistent results whereby sometimes I could sudo and other times I couldn't because my authorized_keys file got removed, but I don't have enough information to pursue this any further.
Since Timmy Browne did answer my question as he understood it, and it seems correct. I'm going to give him credit for this answer, but wanted to post my answer so that if others see this same behavior they can upvote this answer and hopefully we can track it down.
answered Feb 1 at 21:47
PatSPatS
1177
1177
add a comment |
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1399934%2fgcp-sudo-works-in-googlecloudshell-but-not-when-i-ssh-into-vm%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
I'm not sure what happened, but I setup another VM and things worked just fine. I can
sudo
after I ssh into the vm using ssh user123@gcp-host as well as from the GoogleCloudShell. I might delete this question if no one finds it useful.– PatS
Jan 30 at 4:18
Hum... The plot thickens. Something wacked my ~/.ssh/authorized_keys file and when I re-created it. I can't sudo when I ssh into the GCP vm. I must be doing something the wrong way (a way that GCP doesn't like).
– PatS
Jan 30 at 4:24
I closed my GoogleCloudShell and re-opened it. When I did that the GCP environment added two GCP ssh keys (to support the GoogleCloudShell, I'm guessing). When those keys exist, I can
sudo
when logged in from ssh.– PatS
Jan 30 at 4:27