Setting password on sudo su for Amazon EC2 Instance

password amazon-web-services sudo amazon-ec2

Our staging server is on an Amazon EC2 instnace. When you ssh into it you can execute a sudo command or sudo su without having to enter a password.

Is there anyway I can require a password from a user when they try a command with sudo? I have a 3rd party dev who needs access and I want to restrict root privileges for them.

I tried setting a password with sudo passwd but I still don't require a password.

~$ sudo passwd root
Enter new UNIX password: 
Retype new UNIX password: 
passwd: password updated successfully
~$ sudo su
/home/ubuntu# exit
~$ sudo passwd
Enter new UNIX password: 
Retype new UNIX password: 
passwd: password updated successfully
~$ sudo su
/home/ubuntu#

UPDATE

I tried requiring the password by running sudo visudo and adding:

ubuntu        ALL=(ALL)       ALL

Now I'm asked for a password but the one which I set does not work! Luckily I created an AMI before I started any of this.

Could the issue be that I don't have a password set for the ubuntu user, I should I have run sudo passwd ubuntu rather than sudo passwd root.

FINAL SOLUTION

Just to clarify, my mistake was that I set the password for the wrong user, I tried to set it for root whereas I should have set it for ubuntu with:

~$ sudo passwd ubuntu

And then updating /etc/sudoers so that the ubuntu user must give their password when running a sudo command. To edit this file you must run sudo visudo and add:

ubuntu        ALL=(ALL)       ALL

If you have a line like

ALL ALL=(ALL) NOPASSWD:ALL

in /etc/sudoers, this will allow all users to sudo without being prompted for passwords. If you uncomment this line you will have to specify which users that are allowed to use sudo, for instance

myuser ALL=(ALL) ALL

Sudo will cache your credentials, so that if you use it multiple times within a short time period, it will only ask for your password the first time.

The man page says:

   timestamp_timeout
                     Number of minutes that can elapse before sudo will
                     ask for a passwd again.  The timeout may include a
                     fractional component if minute granularity is
                     insufficient, for example 2.5.  The default is 5.
                     Set this to 0 to always prompt for a password.  If
                     set to a value less than 0 the user's time stamp
                     will never expire.  This can be used to allow users
                     to create or delete their own time stamps via "sudo
                     -v" and "sudo -k" respectively.

So if you always want to request a password, you simply type sudo visudo to edit the file. Add this line:

Defaults        timestamp_timeout=0

This will require a password to be entered for all sudo commands.

Related

Can connect via SSH - but not via SFTP? Exit status 127
Do web Servers send the certificate chain to the Web Client?
DNS issue with Failover IP from Hetzner
How to correctly configure MongoDB to use Letsencrypt SSL on Ubuntu
Increase reliability by partitioning disks of different size?
Why does my created Amazon IAM user get "We can not find an account with that email address" when trying to log in?
How to specify sector size for LVM logical volume?
Interface will not rename under systemd
Python: Set Bits Count (popcount)
devicetree and libgpiod with gpio-line-names - Issue
dotnet WebApi + Client - ClientApp SPA is not protected by .AddAuthentication or .AddOAuth
Azure Pipeline Nuget Package Versioning Scheme, How to Get "1.0.$(Rev:r)"