Skip to content

Troubleshooting Missing Sudo Command on Minimal Debian 13 Installations

During a fresh minimal installation of Debian 13 to bootstrap new Kubernetes nodes, encountering a missing utility can halt initial automation or remote access. This guide describes the missing sudo issue, explains why it occurs, and provides step-by-step resolution commands to establish secure privilege escalation.

The Problem: sudo: command not found

After installing a fresh minimal Debian 13 system and connecting remotely using SSH keys via a non-root user (e.g., leva), executing a administrative command using sudo results in a shell failure:

leva@k8s-cp-01:~$ sudo apt update
-bash: sudo: command not found

While the non-root user can connect via SSH, they cannot perform operations requiring elevated permissions, preventing system packages from being updated or initial Kubernetes setup files from being retrieved.

Why This Happened

A default minimal Debian installation (often selected when configuring lightweight server nodes or bare-metal hypervisors) does not include sudo out of the box.

If during the Debian installation phase you specified a password for the standard root account, Debian assumes you will use direct root logins (via su) and intentionally omits the sudo package from the base system. This is a security-first default to prevent unnecessary privilege escalation paths.

The Resolution

To fix the missing command and configure passwordless administrative access for the non-root user, follow these three steps:

Escalate to the Root User

Use the standard interactive shell escalation tool su with a login shell flag (-) to inherit the full environment paths:

leva@k8s-cp-01:~$ su -
Password: [Enter Root Password]

Update Repositories and Install sudo

Once escalated to root, update your local package list and install the standard sudo utility:

root@k8s-cp-01:~# apt-get update && apt-get install -y sudo

Configure Sudo Privileges without Password Prompt

For seamless scripting, remote tasks, and downstream Ansible automation, configure passwordless privilege escalation for your user. Create a dedicated drop-in file within the /etc/sudoers.d/ directory:

root@k8s-cp-01:~# echo "leva ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/leva

Ensure the configuration is correct by exiting the root shell and verifying sudo execution without a password challenge:

root@k8s-cp-01:~# exit
logout
leva@k8s-cp-01:~$ sudo whoami
root

Key Takeaways

  • Sudo is Optional in Debian: A minimal Debian netinst selection will omit sudo if a root password is provided during installation.
  • Use /etc/sudoers.d/: Always write user-specific authorization rules to a dedicated file under /etc/sudoers.d/[username] rather than editing the main /etc/sudoers file directly. This prevents accidental configuration lockout.
  • Prepare for Automation: Establishing passwordless privilege escalation is a vital pre-requisite for running automated configuration tasks with systems like Ansible.