sudoers 文件中的 IP 规则不起作用

tag-icon tag-icon ssh sudo
sudoers 文件中的 IP 规则不起作用

我有两台服务器,a 和 b。当我登录 a,然后 ssh 到 b 时,我不想输入 sudo 命令的密码。

在 b 上,我设置如果主机是 172.25.9.13,则 sudo 不需要密码。

gqqnbig@b:~$ sudo cat /etc/sudoers.d/cluster-create-user
%sudo 172.25.9.13=(ALL) NOPASSWD: ALL
gqqnbig@b:~$ sudo cat /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults        env_reset
Defaults        mail_badpass
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL:ALL) ALL

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL

# Limit members of group sudo to execute any command, except
test ALL=ALL, !/bin/su

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d

现在我登录 a,确保 a 的 IP 是 172.25.9.13。然后我 ssh 到 b。但是,b 上的 sudo 仍然需要密码。

gqqnbig@a:~$ ifconfig
eno1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.25.9.13  netmask 255.255.255.0  broadcast 172.25.9.255
        inet6 fe80::3648:edff:fef9:9c1c  prefixlen 64  scopeid 0x20<link>
        ether 34:48:ed:f9:9c:1c  txqueuelen 1000  (Ethernet)
        RX packets 492366  bytes 127428889 (127.4 MB)
        RX errors 0  dropped 212004  overruns 0  frame 0
        TX packets 133728  bytes 21062341 (21.0 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 33

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 2865  bytes 266771 (266.7 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2865  bytes 266771 (266.7 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0


gqqnbig@a:~$ ssh b
...
Last login: Tue Mar  2 11:15:57 2021 from 172.28.80.67
gqqnbig@b:~$ sudo mkdir
[sudo] password for gqqnbig:

为什么 IP 规则不起作用?我该如何调试它?

答案1

主机是sudo运行命令的系统。它与您可能连接的任何远程系统无关(sudo首先对此一无所知)。如果的接口之一具有172.25.9.13IP,则 的主机规范匹配。b172.25.9.13

sudoers(这在多个系统共享同一文件的设置中可能很有用。)

相关内容