How to enable passwordless sudo in Linux

Passwordless sudo removes repeated authentication prompts for trusted administrative work in Linux. That can make sense on tightly controlled workstations, dedicated lab systems, or automation accounts where privileged commands must run without an interactive password check.

The sudo policy engine reads the main /etc/sudoers file and any included drop-ins under /etc/sudoers.d. A rule tagged with NOPASSWD skips the password prompt for the matching user or group, while visudo edits the policy safely and sudo -l shows the effective privileges that account receives.

Distribution defaults vary, especially around administrative groups such as sudo and wheel, but the core sudoers syntax stays the same across systems that use sudo. Keep passwordless access scoped to accounts that genuinely need it, use a dedicated drop-in instead of editing the main file directly, and validate the full policy after saving because incorrect syntax, ownership, or permissions can cause sudo to reject the rule.

Related: How to add a user to a group in Linux
Related: How to audit local user accounts in Linux

Steps to enable passwordless sudo in Linux:

  1. Confirm that the target account exists before changing the sudo policy. 
    $ id sgnopass
uid=1001(sgnopass) gid=1001(sgnopass) groups=1001(sgnopass),27(sudo)

    Use getent group buildadmins instead when the rule should target an existing group instead of one user.

  2. Open a dedicated sudoers drop-in with visudo. 
    $ sudo visudo -f /etc/sudoers.d/90-sgnopass-nopasswd

    Use a simple filename without dots because sudo skips filenames containing . inside /etc/sudoers.d.

  3. Add the passwordless rule in the editor and save the file. 
    /etc/sudoers.d/90-sgnopass-nopasswd
sgnopass ALL=(ALL:ALL) NOPASSWD: ALL

    Replace sgnopass with the real account name, or use %buildadmins ALL=(ALL:ALL) NOPASSWD: ALL to grant the same behavior to every member of a group.

  4. Validate the full sudoers policy after saving the new drop-in. 
    $ sudo visudo -c
/etc/sudoers: parsed OK
/etc/sudoers.d/90-sgnopass-nopasswd: parsed OK
/etc/sudoers.d/README: parsed OK

    Use the full check instead of validating only the new file so visudo can catch policy-wide syntax, ownership, and permission problems.

  5. List the effective sudo rules for the target account. 
    $ sudo -l -U sgnopass
Matching Defaults entries for sgnopass on host:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User sgnopass may run the following commands on host:
    (ALL : ALL) ALL
    (ALL : ALL) NOPASSWD: ALL

    The NOPASSWD: ALL entry confirms that the rule is active for the account.

  6. Clear any cached sudo authentication timestamp for the target account. 
    $ sudo -iu sgnopass sudo -k

    This forces the next privileged command to rely on the saved NOPASSWD rule instead of a previously cached password check.

  7. Verify that the target account can run sudo non-interactively. 
    $ sudo -iu sgnopass sudo -n whoami
root

    Passwordless sudo means any process running as that account can request root privileges immediately, so reserve it for tightly controlled accounts or narrow the rule to specific commands instead of ALL.