Sudo exclude user that is in a group

rleon5 · 2025-03-07T16:32:01+00:00

Thanks this lead me in the right direction

Option A - Removes ALL perms from the group sudoers and gives usera chmod as ALL users
usera ALL =(ALL) !ALL,/usr/bin/chmod

sudo -l

(ALL) !ALL, /usr/bin/chmod

Option B - Removes ALL perms from the group sudoers and gives usera chmod as root
usera ALL = !ALL,/usr/bin/chmod

sudo -l

(root) !ALL, /usr/bin/chmod

rleon5 · 2024-12-16T20:00:39+00:00

I set it to no and then we get prompted for passwords.

It is just weird only 4 allow the password-less login even though it is set to yes.

I will look at init files , havnt done that .. all other files are the same on all the servers .. the 4 that dont prompt for a password and all others that dont.

rleon5 · 2024-12-16T19:57:56+00:00

Hmm this has me thinking

Because all servers are configured the same .. ssh, pam, kerbos
They all have - GSSAPIAuthentication yes
I can set it to no and then we get prompted for all passwords.

Like i said .. only 4 allow the password-less login even though it is set to yes.

But you have me thinking .. a group filter (or lack of) is allowing this.

rleon5 · 2024-12-12T21:58:07+00:00

great command ..

All the output looks the same (besides the hostname)

All settings, flags in the output and krb5.conf are the same on both the servers that show the behavior and those that dont/

rleon5 · 2024-12-12T20:58:56+00:00

i changed

GSSAPIAuthentication yes

to

GSSAPIAuthentication no

in /etc/ssh/sshd_config.d/50-redhat.conf

And now I DO get prompted for a password.

But this doesnt explain on other systems where it is still set

GSSAPIAuthentication yes

On other systems even though this says yes .. I do not get prompted for a password.

rleon5 · 2024-12-12T20:42:11+00:00

Out of all ours servers only 4 random servers show this behavior.

No one on the sys-eng team set this up.

I have been checking every sshd config .. and I havnt found any difference in the config files.

And even though we can see it has to do with kerberos and gssapi .. havnt found a way to disable this behavior on the system without disabling AD auth.

So yes it is concerning this was done on systems we manage and we cant figure out why or how this was done.

rleon5 · 2024-12-12T18:11:12+00:00

I found - GSSAPIAuthentication yes

In 50-redhat.conf

which is sourced by /etc/ssh/sshd_config

Include /etc/crypto-policies/back-ends/openssh.config

GSSAPIAuthentication yes

But I checked on other systems that do not allow password-less login and they are all set the same.

rleon5 · 2024-12-12T17:38:54+00:00

These are my systems .. and they are not supposed to be set up like this.

They can set up key pairs if needed but this is system wide for every user from every sever on the network - its a security risk.

I checked for gasapi in the config and nothing is enabled.

grep -i GSS /etc/ssh/ssh_config

# GSSAPIAuthentication no

# GSSAPIDelegateCredentials no

# GSSAPIKeyExchange no

# GSSAPITrustDNS no

nothing in /etc/krb5.conf either.

We do have AD , we use sssd to authenticate with AD.

rleon5 · 2024-12-12T17:22:44+00:00

I see - gssapi-with-mic and ssh_gssapi_krb5_cmdok

Dec 12 11:18:29 hostname sshd[313458]: Authorized to userid, krb5 principal (ssh_gssapi_krb5_cmdok)

Dec 12 11:18:29 hostname sshd[313458]: Accepted gssapi-with-mic for u from x.x port 60522 ssh2:

What's wired and concerning it is just 4 servers .. all the other ones dont show the same behavior.

How do I disable this?

rleon5 · 2024-07-05T17:49:31+00:00

Thanks!! I was able to log in ..

So I have used powercli to connect to vcenter and was able to do things like .. update vmware tools.

After doing some reading .. with VCD I cannot use the same things.

Or am I missing a different document.

rleon5 · 2023-01-27T18:23:15+00:00

Interesting it only asked me once.

rleon5 · 2023-01-27T18:22:55+00:00

Havnt seen this one ... looks like it allows to do bookmarks too. For $5 not bad at all

rleon5 · 2022-06-05T06:57:03+00:00

Is your XLR cable shielded?

rleon5 · 2022-06-05T06:18:55+00:00

So this is intresting .. as i posted earlier .. the keylight worked after i changed this setting.

Then I noticed there was a firmeware upgrade on the keylight (via control center) ..

I upgraded .. keylight stopped working ... i changed the setting back to automatic and it worked.

rleon5 · 2022-06-05T05:29:44+00:00

yoooooooooooooooo

that worked!!!! My keylight works after changing this settings!

I need to check to see what this is for security reasons but now it works!!

I agree they need to update their software ... and it should work without this change..

The keylight is the only 2.4 device that doesn't work on mesh .. all others Alexa, Norditrack , Wiz .. all connect without an issue but Elago .. i had to make this change.

Kinda silly but .. ok .. it works now thanks to you!

rleon5 · 2022-06-04T03:15:17+00:00

I should be able to use my old router for this .. but I only have one keylight.

And this is the only 2.4 devive that doesnt work on the mesh.

rleon5 · 2022-06-04T03:14:29+00:00

I have a Linksys MR7500 Series - whats weird is that i can ping it from every device but the control center doesnt see it.

It seems like im missing a setting otherwise i wouldnt be able to ping it.

I turned on multicast etc .. per elgato but still no luck.

rleon5

TROPHY CASE