Csdrhrt

I created a brand new Google Compute Engine VM (Debian 9) and opened a shell to it using the GoogleCloud shell. I can sudo from that browser shell window.

I then setup my ssh-keys and ssh into the vm. For the sake of discussion, my username is "user123". I ssh into my GCP vm using:

ssh user123@1.2.3.4

Where 1.2.3.4 is my GCP external IP address. I'm then logged in.

So as user user123 in GoogleCloudShell sudo works, but when logged in via ssh as user123, I'm prompted for a password.

We trust you have received the usual lecture from the local System

Administrator. It usually boils down to these three things:



    #1) Respect the privacy of others.

    #2) Think before you type.

    #3) With great power comes great responsibility.



[sudo] password for user123:

Naturally, I don't want or need to setup a password, I need to get sudo to allow this user123 user account to sudo. But it works when logged into GoogleCloudShell.... Hum... I'll track it down but that is my question.

NOTE: Since I have root in my GoogleCloudShell (via sudo), I should be able to find what I need to do and fix this.

What is the next step I need to take in order to allow sudo to work when logged in via ssh?

I'll give you 2 answers.

First, cloud shell is managing instance metadata for you behind the scenes, and allows passwordless sudo for all users added to the project this way. Use google to set up your user

https://cloud.google.com/compute/docs/instances/adding-removing-ssh-keys
https://cloud.google.com/compute/docs/instances/managing-instance-access

Add the user account you want through the project console. This will propagate that user to all hosts in your project.

Secondly, what you want is to set up passwordless sudo. You can (using visudo) edit /etc/sudoers or create a new file under /etc/sudoers.d and add a line like this:

user123       ALL = (ALL) NOPASSWD: ALL

you can see that google is doing it by group membership in the google-sudoers group

timmy@instance-1:~$ sudo cat /etc/sudoers.d/google_sudoers 

%google-sudoers ALL=(ALL:ALL) NOPASSWD:ALL

timmy@instance-1:~$ id

uid=1000(timmy) gid=1001(timmy) groups=1001(timmy),4(adm),30(dip),44(video),46(plugdev),1000(google-sudoers)

After creating a GCP compute engine you don't need to do anything special to get sudo to work from ssh. You obviously need to use the GCP console and add your keys as @TimmyBrowne mentions in his post. See https://cloud.google.com/compute/docs/instances/adding-removing-ssh-keys.

After your ssh public key is entered into the GCP Compute Engine instance, you can ssh into your instance. But you need to use the correct username.

For example, if my GCP username is fredsmith, and my GCP external IP is 5.6.7.8, then my ssh command would look like this:

ssh fredsmith@5.6.7.8

And obviously, your private ssh key needs to match the public key you put into the ssh meta-data for your instance.

After logging in, you can run sudo and it works because GCP has already setup this instance with your credentials (fredsmith) and has put you (fredsmith) into the groups needed so that sudo works which for GCP seems to be google-sudoers.

If you want to create another user and allow that user to have sudo privileges, then see @TimmyBrowne answer as he describes this.

I'm still not positive why I was having inconsistent results whereby sometimes I could sudo and other times I couldn't because my authorized_keys file got removed, but I don't have enough information to pursue this any further.

Since Timmy Browne did answer my question as he understood it, and it seems correct. I'm going to give him credit for this answer, but wanted to post my answer so that if others see this same behavior they can upvote this answer and hopefully we can track it down.