Ubuntu images on Oracle Cloud (and AWS, Azure, GCP) ship with a special sudo policy that explicitly disables password prompts for the default ubuntu user — even if you set a password and even if you change timestamp_timeout.
Let’s fix it cleanly. This guide assumes your username is ubuntu
Why sudo still doesn’t ask for a password
Cloud images include a file like:
/etc/sudoers.d/90-cloud-init-usersInside it, you’ll find something like:
ubuntu ALL=(ALL) NOPASSWD:ALLThat line overrides everything and forces passwordless sudo.
WARNING: Make sure hour user has a known password
Cloud providers do not have a password set by default, so you should add a password before enabling the sudo password.
Use this command:
sudo passwd ubuntu
Fix: Require password for sudo for the ubuntu user
1. Edit the cloud-init sudoers file
sudo vi /etc/sudoers.d/90-cloud-init-usersChange this:
ubuntu ALL=(ALL) NOPASSWD:ALLTo this:
ubuntu ALL=(ALL) ALLSave and exit.
2. (Optional but recommended) Lock down the timeout
Add this in /etc/sudoers:
Defaults timestamp_timeout=0Now sudo will always ask for a password.
Test it
Run:
sudo lsYou should now get a password prompt.
Note about cloud-init
If you ever rebuild the instance or re-run cloud-init, it may recreate that file. To resolve this you could do one of the following:
- disable cloud-init sudo config
- or override it with a higher‑priority sudoers file
Leave a Reply