Linux ssh and sudo

What is the proper way to sudo over ssh?

What’s the proper way to do this so I can type the password for sudo over SSH without the password appearing as I type?

as for me, the reason to look for a way of sudoing through ssh was that it wasn’t working when trying something like ssh sudo , as I was getting the error sudo: no tty present and no askpass program specified

8 Answers 8

Another way is to use the -t switch to ssh :

ssh -t user@server "sudo script" 
 -t Force pseudo-tty allocation. This can be used to execute arbi- trary screen-based programs on a remote machine, which can be very useful, e.g., when implementing menu services. Multiple -t options force tty allocation, even if ssh has no local tty. 

It’s not working here: ssh -t localhost

The same thing can be accomplished without the need of the -t option by telling sudo not to require a terminal. In this case, it takes its imput from stdin. See answer below for details and examples.

I was able to fully automate it with the following command:

echo pass | ssh -tt user@server "sudo script" 

Regarding security: as Kurt said, running this command will show your password on your local bash history, and it’s better to save the password in a different file or save the all command in a .sh file and execute it. NOTE: The file need to have the correct permissions so that only the allowed users can access it.

It will show up on the local system’s bash history, including the password. Better to store the password in a file and cat the file.

Man, I knew about -t , but I hadn’t read the manual carefully enough to see that you could pass it twice! This is what I’ve been looking for for months! As a security addition, I simply set a password variable before running with read -s -p «Password: » pw , then did echo «$pw» | . . I’ve now rolled this into a handy script for myself :).

Why don’t you just set up passwordless sudo for whatever specific users and commands you need to run? This isn’t an SSH problem.

Regarding preventing password from appearing in local history, 1) that’s not an issue if it is a line in a script, 2) for interactive shell, local history is easily avoided by beginning the command with a SPACE if HISTCONTROL is set to ignorespace or ignoreboth (assuming bash, similar for other shells). A different security concern is that the password might be shown in the process table. echo is usually a shell built-in so it is probably OK as is, but I’d rather use a here-string:

Sudo over SSH passing a password, no tty required:

You can use sudo over ssh without forcing ssh to have a pseudo-tty (without the use of the ssh «-t» switch) by telling sudo not to require an interactive password and to just grab the password off stdin. You do this by using the «-S» switch on sudo. This makes sudo listen for the password on stdin, and stop listening when it sees a newline.

Читайте также:  High resolution display linux

Example 1 — Simple Remote Command

In this example, we send a simple whoami command:

$ ssh user@server cat \| sudo --prompt="" -S -- whoami  root 

We’re telling sudo not to issue a prompt, and to take its input from stdin. This makes the sudo password passing completely silent so the only response you get back is the output from whoami .

This technique has the benefit of allowing you to run programs through sudo over ssh that themselves require stdin input. This is because sudo is consuming the password over the first line of stdin, then letting whatever program it runs continue to grab stdin.

Example 2 — Remote Command That Requires Its Own stdin

In the following example, the remote command «cat» is executed through sudo, and we are providing some extra lines through stdin for the remote cat to display.

$ ssh user@server cat \| sudo --prompt="" -S -- "cat"  > Extra line1 > Extra line2 > EOF Extra line1 Extra line2 

The output demonstrates that the line is being consumed by sudo, and that the remotely executed cat is then displaying the extra lines.

An example of where this would be beneficial is if you want to use ssh to pass a password to a privileged command without using the command line. Say, if you want to mount a remote encrypted container over ssh.

Example 3 — Mounting a Remote VeraCrypt Container

In this example script, we are remotely mounting a VeraCrypt container through sudo without any extra prompting text:

#!/bin/sh ssh user@server cat \| sudo --prompt="" -S -- "veracrypt --non-interactive --stdin --keyfiles=/path/to/test.key /path/to/test.img /mnt/mountpoint"  

It should be noted that in all the command-line examples above (everything except the script) the local machine's .bash_history. It is therefore highly recommended that for real-world use you either use do it entirely through a script, like the veracrypt example above, or, if on the command line then put the password in a file and redirect that file through ssh.

Example 1a - Example 1 Without Local Command-Line Password

The first example would thus become:

$ cat text_file_with_sudo_password | ssh user@server cat \| sudo --prompt="" -S -- whoami root 

Example 2a - Example 2 Without Local Command-Line Password

and the second example would become:

$ cat text_file_with_sudo_password - Extra line1 > Extra line2 > EOF Extra line1 Extra line2 

Putting the password in a separate file is unnecessary if you are putting the whole thing in a script, since the contents of scripts do not end up in your history. It still may be useful, though, in case you want to allow users who should not see the password to execute the script.

Источник

SSH: execute sudo command

I have an interactive shell script, that at one place needs to ssh to another machine (Ubuntu based) and execute something as root (the user should enter his password, but the remote command should run like noted in the script):

# . ssh remote-machine 'sudo ls' # . 
sudo: no tty present and no askpass program specified 
$ ssh remote-machine 'sudo ls /' [sudo] password for user1: /bin /etc /var 

3 Answers 3

The wondrous ssh has a cure for everything. The point is to add the -t flag to force ssh to allocate a pseudo-tty:

ssh -t remote-server 'sudo ls' 

The easy way around that is to force ls into non-terminal mode. ls | cat will do - it'll see that stdout is a pipe. In this specific question, that's not relevant, as it's apparently intended to be run interactively from a terminal - so you probably want the columns and colours and whatnot.

This method will run a single script using sudo after ssh:

Let's assume we have a "remote" user with sudo capabilities and we have a script we want it to execute as root.

1) Set a script in /etc/passwd to be used on login:

remote:x:1100:1100:Some Remote User. /home/remote:/home/remote/login.sh

2) Inside "login.sh", we execute the script we want to run as "sudo":

#!/bin/bash if [ "$(id -u)" != "0" ]; then #Not running as root, so we execute "sudo" sudo /usr/local/bin/script.sh else #We are already rooted, so "sudo" is not required. /usr/local/bin/script.sh fi exit; 

Normally it will ask the password twice: ssh login + sudo. If you want to input it only once, try sudo without password (not recommended).

The main advantage is that "ssh" does not require any other parameter (as -t), and sudo is forced on server side. Also, once the script exits, the user is logged out as well.

It may not be that elegant, but its simple and works.

Источник

How to run a command that requires sudo via SSH

With SSH you can run commands on remote machines, even if the command requires sudo privileges.

We may be compensated by vendors who appear on this page through methods such as affiliate links or sponsored partnerships. This may influence how and where their products appear on our site, but vendors cannot pay to influence the content of our reviews. For more info, visit our Terms of Use page.

Secure Shell includes a lot of tricks, many of which can make your admin’s life exponentially easier. One such trick is the ability to run commands on remote servers, without logging in.

Must-read security coverage

  • Google offers certificate in cybersecurity, no dorm room required
  • The top 6 enterprise VPN solutions to use in 2023
  • EY survey: Tech leaders to invest in AI, 5G, cybersecurity, big data, metaverse
  • Electronic data retention policy (TechRepublic Premium)

Sure, you can take the time to log into the server, run the command, and log out, but why not just do it all in one fell swoop? Not only is this handy, it’s quite easy.

What you need

The only things you need for this is two more Linux machines, all of which include the openssh-server up and running (and accepting connections). If you don’t have the SSH daemon installed, you can do this from the standard repositories. For instance, on the Ubuntu Server platform, the command to install the SSH daemon is:

sudo apt-get install openssh-server -y

For CentOS 7, the command is:

sudo yum install -y openssh-server

Once installed, you’ll want to enable the server with the commands:

sudo systemctl start sshd
sudo systemctl enable sshd

Now that you have the SSH daemon running on your remote servers, you can send commands to them. Let’s find out how.

Running a basic command

Let’s get a listing of files on a remote /etc directory. To do this, the command is:

Where USER is a remote user name, and SERVER_IP is the IP address of the remote server. Once you successfully enter the remote user’s password, you will get a listing of the /etc/ directory on the remote server.

Running a command that requires sudo

But what if you need to run a command that requires sudo privileges on a remote server? If you do that, you’ll see a tty error (Figure A).

How do you get around that? Fortunately, there’s a little switch you can add to the command. Said switch is -t. What does -t do? It forces pseudo-terminal allocation, so ssh has no idea it doesn’t have a local terminal to use.

So, to run a remote command, via ssh, that requires sudo privileges, the ssh command looks like:

ssh -t USER@SERVER_IP "sudo COMMAND"

Say, for instance, you want the user jack to upgrade a remote server at 192.168.1.201. This command is:

ssh -t jack@192.168.1.201 "sudo apt-get upgrade -y"

You will first be asked for the user’s password for the SSH connection, followed by a second request for the user’s password for sudo privileges (Figure B).

The command will run as though it was executed on the local machine (only it’s running on the remote machine). When the command completes, you’ll return to the local prompt, ready to keep working.

And that’s all there is to running commands that require sudo privileges on a remote machine, via SSH.

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.

Delivered Tuesdays and Thursdays

Also See

  • How to use multiplexing to speed up the SSH (TechRepublic)
  • How to create an SSH jailed user on Debian 9 (TechRepublic)
  • 5 quick SSH hardening tips (TechRepublic)
  • How to block SSH attacks on Linux with denyhosts (TechRepublic)
  • OpenSSH gets protection against attacks like Spectre, Meltdown, Rowhammer, and Rambleed (ZDNet)
  • How to become a cybersecurity pro: A cheat sheet (TechRepublic)
  • 10 dangerous app vulnerabilities to watch out for (TechRepublic download)
  • Online security 101: Tips for protecting your privacy from hackers and spies (ZDNet)
  • The best password managers of 2019 (CNET)
  • Cybersecurity and cyberwar: More must-read coverage (TechRepublic on Flipboard)

Источник

Оцените статью
Adblock
detector