Martin Gregorie wrote, on 08-02-2019 12:46:
> To answer your points, 'authenticate' is not specified in /etc/sudoers on
> my RPi
>
> I don't use the pi login and never have done: when I first got my RPi
> (back when the 512MB B was the latest thing, I set up another user with
> the same name as my main user on my other Linux systems so that "ssh
> hostname" works as a convenient shortcut. At the time I set this user to
>
> ALL=(ALL)ALL NOPASSWD: ALL
>
> in /etc/sudoers by copying the 'pi' line and also made sure the default
> path included /usr/local/sbin and /usr/local/bin. Then I saved a copy of /
> etc/sudoers in a safe place and committed that to my CVS repository.
>
> The copy in the repository is dated 1 Oct 2015 so that is the last time I
> touched /etc/sudoers. However, the active version is dated 4 Aug 2017, so
> evidently it got updated then during one of my weekly system updates.
> Diffing my copy against the current active copy shows that in 2017
> NOPASSWD: was removed from both the pi and my login entry.
>
> Since I never use the 'pi' login, its vanishingly unlikely I'd have
> edited it too and, since I'm a version control addict its equally
> unlikely that I'd have changed /etc/sudoers without (a) making a safety
> copy and (b) committing the change in CVS because that is my SOP.
>
> Ergo, this change to the sudo configuration was made on 4 Aug 2017 and
> was the result of an APT upgrade.

Almost certainly their mistake for not considering people use other
logins than pi. That happens a lot. A fresh install still has:

pi ALL=(ALL) NOPASSWD: ALL

(No longer in /etc/sudoers but in /etc/sudoers.d/010_pi-nopasswd. This
move was when you saw the change.)

--- SoupGate-Win32 v1.05