WIT 2003
Notes on Using Sudo

From Mitch Marks:

Pasting from a Word doc, so please forgive peculiar characters. Also,
this was originally a document addressed to the Lab Assistants, so Mentors please mentally correct whatever references need changing.

Lab assistants, you've probably already seen this but feel free to reread
if you might have questions. In the Using homerooms, much of the task of
dealing with user passwords will likely fall to you (though all mentors
are authorized for "sudo passwd").

Setting someone else's password using sudo

The sudo program allows designated users to perform administrative tasks
without logging in as the administrator. Among the operations that can be
enabled this way is changing a password for someone else (or oneself)
without knowing the current password.

The command passwd (by itself, not in conjunction with sudo) is used two
ways.

A. Any user can use it to change her\his own password, if they know the
current one. In this use, it is invoked by itself on the command line,
with no additional parameter. It will ask you to type in your current
password; even though in principle you already logged in if you got this
far, the extra check at the time of changing the password is meant as
protection against things like a malicious passerby changing the password
of a user who stepped away from their terminal.

B. When logged in to the administrative account, you can use the passwd
command to change another user's password. In this use, it is invoked
with that username supplied as a commandline argument, for example "passwd
bbunny".

In both cases, it will expect the new password to be typed twice and won't
change the password if the two tries don't match. (Nothing is echoed to
the terminal, not even asterisks.) Also in both cases it will examine the
proposed new password and complain if it's too short or simple or too much
like just a word or common name. A difference is that in case (A) it
will then refuse to set the new password, but in case (B) it will set the
new password if you insist (by typing it in the second time).

With sudo, you get the (B) kind of interaction without having logged in as
the administrative user. You prefix sudo to the passwd command formed the
way you would in (B). Thus there will be three words on the command, for
example

sudo passwd bbunny

There are a couple ways the interaction can get slightly more involved
when using sudo passwd than when just using passwd:

1. If this is the first time you have used sudo on this server, it will
print out a little finger-waggling lecture, amounting to "be careful". It
just does this; I didn't set it to do this, and didn't write the message.

2. If you have not been using sudo very recently (like, in the last five
minutes), it will expect you to verify your identity, by supplying your
own password. The prompt for this will use the words "your own" and will
name the account you're logged in under. This can actually get a little
confusing, because the passwd program you're invoking will also be
prompting for a password to be entered, but that will be the new one
you're setting for somebody. So read the prompts!

There are some prerequisites to being able to run sudo (with a particular
included command, such as passwd in the above discussion).

1. You of course need an account on the server in question and need to
know your username and password and have a good terminal emulation program
on your computer. In short, you have to be able to log in. (We'll make
sure of this for all the Lab Assistants at or after today's meeting.)

2. Your username must be listed in the sudo authorization file, in
conjunction with the particular included command (passwd). Again, this is
something we'll take care of today.

3. You need to know what to do. If you've absorbed the above
instructions, or already knew about the process, then you're all set. If
you'd like to practice, try it out with the Bugs Bunny or Daffy Duck
accounts (bbunny and dduck) as your "victims". (Change the password, then
by telnet or ssh do a login under that user identity, to verify that the
password you set works and that another one you try doesn't.) If you want
to, you can try this out by partnering with someone else, who is right
there with you, and change his or her password; then have them test it;
then switch over. (Don't play around by switching a colleague's password
without their knowledge and consent, for the sake of giving them a hard
time. It's not actually a very clever trick, and nobody will like your
doing that.)

As part of the (B) style interaction which sudo passwd USERNAME gives you,
a bad password will be pointed out by the program but will not be
prevented. This does not mean you should let the participants prevail
upon you to set them totally trivial passwords. Where this document
suggests setting a new password when the current one is awkward for a user
to type, that's about finger placement and shifting; you might offer them
a new one on the same general model (two words linked by digit or symbol),
just pick one not too challenging. (If you want suggestions, and are
already logged in anyway to the server command line shell, try the command
" pwd60".)

On Sat, 5 Jul 2003, Mitchell Marks wrote:

> Please check the brief lists below and verify that your correct WIT/CUIP
> server username is listed. These are pasted directly from the control
> file which authorizes use of sudo. If your WIT/CUIP server username is
> missing or given incorrectly, please inform server@cuip.net .
>
>
> User_Alias MENTORS = cac, wgeraci, christie, stuart, shaz, mmarks,
> efabiyi, edairyko, jlyman,
> fboxer, tjones, rrevzan, nzumpano, camon, jmckennis, mwiggins,
> mmurphy, ddelaney,
> sedstrom, arussell, aross, crjohnson, epullman, jay, lgool, lgray,
> billings,
> mmanning, ocarter, plevitt, rbrown, jreeves, stownsend,
> slcomstock, mwarden
>
> User_Alias LABS = mohamed, tbbuckle, ajwilson, hashem, pvtchetg, vikas
> User_Alias STAFF = ben, mmarks, stuart, christie, shaz, jonathan
>
>
>
>
>