[GH-ISSUE #208] selfAddPersonalAccess fails with "sudo: a password is required" #57

New issue

Closed

opened 2026-05-07 00:18:12 +02:00 by BreizhHardware · 3 comments

BreizhHardware commented

2026-05-07 00:18:12 +02:00

Owner

Originally created by @siexp on GitHub (Jun 27, 2021).
Original GitHub issue: https://github.com/ovh/the-bastion/issues/208

Trying to add access to host but command fails with sudo: a password is required for both privileged and sudoer users

bastion version 3.03.01 with default setup from documentation

bssh --osh selfAddPersonalAccess --host xxx.xxx.xxx.xxx --port 22 --user bastion

---bastion------------------------------------------------the-bastion-3.03.01---
=> adding personal access to a server on your account
--------------------------------------------------------------------------------
~ Testing connection to root@xxx.xxx.xxx.xxx, please wait...
Warning: Permanently added 'xxx.xxx.xxx.xxx' (ECDSA) to the list of known hosts.
sudo: a password is required
~ The helper didn't return any data, maybe it crashed, please report to your sysadmin

Originally created by @siexp on GitHub (Jun 27, 2021). Original GitHub issue: https://github.com/ovh/the-bastion/issues/208 Trying to add access to host but command fails with `sudo: a password is required` for both privileged and sudoer users bastion version `3.03.01` with default setup from documentation ``` bssh --osh selfAddPersonalAccess --host xxx.xxx.xxx.xxx --port 22 --user bastion ---bastion------------------------------------------------the-bastion-3.03.01--- => adding personal access to a server on your account -------------------------------------------------------------------------------- ~ Testing connection to root@xxx.xxx.xxx.xxx, please wait... Warning: Permanently added 'xxx.xxx.xxx.xxx' (ECDSA) to the list of known hosts. sudo: a password is required ~ The helper didn't return any data, maybe it crashed, please report to your sysadmin ```

BreizhHardware closed this issue

2026-05-07 00:18:13 +02:00

BreizhHardware commented

2026-05-07 00:18:13 +02:00

Author

Owner

@speed47 commented on GitHub (Jun 28, 2021):

This command is restricted, so a bastion admin must first grant you this command (using --osh accountGrantCommand --account YOU --command selfAddPersonalAccess). However, you should get a nicer error message, and not the kinda rough way of sudo telling you that you can't do it:

$ bssh --osh selfAddPersonalAccess
│ 
│ ⛔ Sorry, this command is restricted and requires you to be specifically granted
Connection to bastion.example.org closed.

Of course, if you happen to be a bastion admin, then all these commands should be granted to you, including selfAddPersonalAccess.
Does the selfAddPersonalAccess command appear when you run bssh --osh help? It shows you only commands you have access to. I'll have different suggestions for troubleshooting depending on whether it appears here or not (might be an issue with your sudo installation).

@speed47 commented on GitHub (Jun 28, 2021): This command is restricted, so a bastion admin must first grant you this command (using `--osh accountGrantCommand --account YOU --command selfAddPersonalAccess`). However, you should get a nicer error message, and not the kinda rough way of sudo telling you that you can't do it: ``` $ bssh --osh selfAddPersonalAccess │ │ ⛔ Sorry, this command is restricted and requires you to be specifically granted Connection to bastion.example.org closed. ``` Of course, if you happen to be a bastion admin, then all these commands should be granted to you, including `selfAddPersonalAccess`. Does the `selfAddPersonalAccess` command appear when you run `bssh --osh help`? It shows you only commands you have access to. I'll have different suggestions for troubleshooting depending on whether it appears here or not (might be an issue with your sudo installation).

BreizhHardware commented

2026-05-07 00:18:14 +02:00

Author

Owner

@siexp commented on GitHub (Jun 29, 2021):

@speed47 thank you for the reply,

This command is restricted, so a bastion admin must first grant you this command

And this is a case even for superowner account?

P. S.
I'm following steps in this guide https://ovh.github.io/the-bastion/using/basics.html#bastion-alias

@siexp commented on GitHub (Jun 29, 2021): @speed47 thank you for the reply, >This command is restricted, so a bastion admin must first grant you this command And this is a case even for superowner account? P. S. I'm following steps in this guide https://ovh.github.io/the-bastion/using/basics.html#bastion-alias

BreizhHardware commented

2026-05-07 00:18:14 +02:00

Author

Owner

@speed47 commented on GitHub (Jun 29, 2021):

This command is restricted, so a bastion admin must first grant you this command

And this is a case even for superowner account?

Yes it is. A super-owner is implicity an owner of all the groups, but this person still need to be granted on restricted commands they might need. You can use the --osh accountGrantCommand with no parameters to get the list of all the commands that can be granted this way. The list is also available in the documentation.

P. S.
I'm following steps in this guide https://ovh.github.io/the-bastion/using/basics.html#bastion-alias

I'm currently working on a PR to add documentation on several topics, I'll take this opportunity to add the following note right under "Setting up access to a server":

This section assumes that you've just set up your bastion and your account is the one that has been created on installation, with all the super-powers included, especially access to the restricted selfAddPersonalAccess command that we'll use below. If this is not the case, you'll need first to have a bastion admin grant you this command through accountGrantCommand

Note that if for your setup, you'd like for everybody to have access to the selfAddPersonalAccess command, as if it wasn't restricted (we do have this setup in some of our bastions), you can use the this option in bastion.conf to do so.

@speed47 commented on GitHub (Jun 29, 2021): > > This command is restricted, so a bastion admin must first grant you this command > > And this is a case even for superowner account? Yes it is. A super-owner is implicity an owner of all the groups, but this person still need to be granted on restricted commands they might need. You can use the ``--osh accountGrantCommand`` with no parameters to get the list of all the commands that can be granted this way. [The list is also available in the documentation](https://ovh.github.io/the-bastion/plugins/restricted/index.html). > P. S. > I'm following steps in this guide https://ovh.github.io/the-bastion/using/basics.html#bastion-alias I'm currently working on a PR to add documentation on several topics, I'll take this opportunity to add the following note right under "Setting up access to a server": > This section assumes that you've just set up your bastion and your account is the one that has been created on installation, with all the super-powers included, especially access to the restricted selfAddPersonalAccess command that we'll use below. If this is not the case, you'll need first to have a bastion admin grant you this command through accountGrantCommand Note that if for your setup, you'd like for everybody to have access to the `selfAddPersonalAccess` command, as if it wasn't restricted (we do have this setup in some of our bastions), you can use the [this option in bastion.conf](https://ovh.github.io/the-bastion/administration/bastion_conf.html#accountcreatesupplementarygroups) to do so.

BreizhHardware referenced this issue

2026-05-07 00:19:47 +02:00

[PR #57] [MERGED] osh-backup-acl-keys and osh-encrypt-rsync fixes #200