Why is sudoers NOPASSWD option not working?

You should put that line after the line with the rule for the sudo group, because, as the sudoers man page states:

   When multiple entries match for a user, they are applied in order.
   Where there are multiple matches, the last match is used (which is not
   necessarily the most specific match).

Just ran into this too.

My situation is I'm setting up a remote system that will run headless. I have enabled full disk encryption (otherwise an attacker with physicall access can do anything he or she wants) I want to auth with pub key only (I will unset the password so that the "have something, know something" scheme will be a password protected keypair --root login is of course disabled entirely)

The Ubuntu installer prompts for a non-root admin user which gets added to the group sudo. I had then manually added myself to the sudoers file using sudo visudo:

my_username ALL=(ALL:ALL) NOPASSWD:ALL

NOTE if you use nopasswd on your laptop you must always lock your computer as you walk away or else a casual attacker can compromise a lot while you're getting up to put cream in your coffee

I was still having to password authenticate.

enzotib's answer is the key to what's going on. The group sudo shows up in sudoers after the entry for my username.

Rather than moving my entry below the sudo line I simply removed the line I had previously added and then added NOPASSWD to the entry for %sudo

That seems to work. Again only use nopasswd if you really need it (In my case it was precisely what I needed, for most users requiring a password for sudo activity is best)

Additional WARNING: Always edit sudoers with visudo. (sudo visudo) Also, having another window open switched to the root user allows you to recover any mistakes you might make while changing the sudoers file.


Ideally if you are customizing what commands can be run via sudo you should be making these changes in a separate file under /etc/sudoers.d/ instead of editing the sudoers file directly. You should also always use visudo to edit the file(s).

Example: sudo visudo -f /etc/sudoers.d/slowcpu

Insert your line granting permission: gatoatigrado ALL=NOPASSWD: /bin/set-slow-cpufreq

Then save and exit and visudo will warn you if you have any syntax errors.

You can run sudo -l to see the permissions that your user has been granted, if any of the user specific NOPASSWD commands appear BEFORE any %groupyouarein ALL=(ALL) ALL command in the output you will be prompted for your password.

If you find yourself creating lots of these sudoers.d files then perhaps you will want to create them named per user so they are easier to visualize. Keep in mind that the ordering of the FILE NAMES and of the RULES within the file is very important, the LAST one loaded wins, whether it is MORE or LESS permissive than the previous entries.

You can control the file name ordering by using a prefix of 00-99 or aa/bb/cc, though also keep in mind that if you have ANY files that don't have numeric prefix, they will load after the numbered files, overriding the settings. This is because depending on your language settings the "lexical sorting" the shell uses sorts numbers first and then may interleave upper and lowercase when sorting in "ascending" order.

Try running printf '%s\n' {{0..99},{A-Z},{a-z}} | sort and printf '%s\n' {{0..99},{A-Z},{a-z}} | LANG=C sort to see whether your current language prints AaBbCc etc or ABC then abc to determine what the best "last" letter prefix to use would be.