This question already has answers here:
Pass commands as input to another command (su, ssh, sh, etc)
(3 answers)
Closed 1 year ago.
I wrote a short script that would ssh to a bunch of machines on a file called config that would iterate through the machines, ssh through them and create a new user on them. problem is - these commands require sudo privileges, and when I'm trying to execute sudo on them, I get a wrong password error, probably because sudo is not allowed over ssh? I'm not quite sure.
The code is as follows:
#!/bin/bash
read -p "enter remote admin username " adminuser
read -p "choose new username " newuser
read -p "choose new pass " newpass
while read -u10 HOST ; do ssh ${HOST} "uname -a" ;
sudo -S adduser --disabled-password --gecos "" $newuser
sudo -S chpasswd <<<"$newuser:$newpass"
sudo -S chown $newuser /home/$newuser
#sudo -S groupadd group
echo; echo "New user ${newuser} has been created on ${HOST}"
done 10< config.txt
It's worth to note I have set /etc/ssh/sshd_config PermitRootLogin to yes.
While we're at it, is there a way to minimize the amount of times i have to input my admin password? Right now I have to use it when I first ssh into the machine and when I execute a sudo command - so if I have 17 machines that's a minimum of 17 machines. I'd like to minimize that if possible.
Please do not set /etc/ssh/sshd_config PermitRootLogin to yes. No reason to play with fire unless necessary.
On the remote machine, use visudo to define a group like admin that never needs to enter a password in order to use sudo. Here are two lines from my /etc/sudoers file:
# Members of the admin group may gain root privileges
%admin ALL=(ALL) NOPASSWD: ALL
Then add the user id to that Linux user group and the script will run as root without prompts for sudo passwords:
$ usermod -a -G admin my_user_name
Related
I've got a script which needs to do something on a remote system using SSH. Something of this sort:
#!/bin/bash
ssh -tt $# sudo ash -c 'echo "8.8.8.8 dns.google.com" >> /etc/hosts'
If the user doesn't need to enter a password for sudo to work, this is fine. But I can't figure out how to allow the user running this script to enter the password for sudo. Ideas? The remote shell is busybox's ash.
My user is in root group. I canot ssh to server as root because is says Permission denied, please try again. What I usualy do is I ssh as my user and once I'm logged in i type sudo su and I proivde my user's password to become root.
I want to automate part of my job so I want to write a bash script which would ssh as my user, switch to root and then call set of commands.
So far I came with following script but I am unable to switch to root user without asking user for password:
while read p; do
p=$(echo $p|tr -d '\r')
sshpass -p "myPasswd" ssh -T -o StrictHostKeyChecking=no myUser#remoteServer << EOT
cd /var/log/jboss/ #here I am getting 'permission denied' message as only root has access
exit
EOT
done < $nodes
I also tried:
sshpass -p "myPasswd" ssh -tt -o StrictHostKeyChecking=no myUser#remoteServer 'cd /var/log/jboss/'
but I got the same permission denied error message
For security reasons, root users are typically not allowed ssh access.
PermitRootLogin no # value in /etc/ssh/sshd_config
The above setting is preventing you from logging in as root in the first place. If you are "comfortable" with you network's security, you can consider modifying that setting. If you ever make modifications to the sshd config, you'll need to restart the ssh service:
sudo service sshd restart
Of course, if you want to adhere to common wisdom, you may want to make changes to your sudoers file (as recommended by chepner and Nic3500). Here's a reasonable configuration change to make:
Add the following line to the bottom of your /etc/sudoers file:
#includedir /etc/sudoers.d
And add the following files to your /etc/sudoers.d directory:
cat /etc/sudoers.d/10_wheel:
%wheel ALL=(ALL) NOPASSWD: ALL
The above example configures sudo to allow access to all commands to members of the wheel group, without a password. You may want to change the group name to a group that your user is a member of.
You can determine your groups by issuing the command:
groups
Also, to avoid the use of sshpass, you can deploy ssh public keys to the remote host. Lastly, if you don't want to change the server at all, you can achieve what you are trying to do with expect. If you are comfortable with python coding, I recommend pexpect - I find it soooo much easier than the TCL based expect that is typically discussed.
I am trying to loop through a list of remote servers, ssh to them and get hardware info, but this requires sudo password, and I don't want to have to type in password for each loop, and unsure how to accomplish that. My script below:
#!/bin/bash
for i in $(cat server-list.txt); do
ssh -t username#${i} 'sudo -s <dmidecode -t 1>';
done
Note: all system commands require sudo password.
This question already has answers here:
How to use SSH to run a local shell script on a remote machine?
(22 answers)
Closed 5 years ago.
I try to run a local script on multiple remote servers as root. I don't have su to root on those but just can run root commands using sudo. So far I tried:
for host in $(cat hosts_list); do ssh -tt $host "echo mypassword | sudo bash -s" < ./myscript.sh
And in myscript.sh there is something like:
echo "test test123" >> /etc/tests
exit 0
But it looks like not working and won't change the file. What is the proper way to run this script as root and without typing password separately for each host?
Ok, then why do you "echo mypassword" ?
Can't you add your SSH account to the sudoers file with NOPASSWD ?
From man sudoers:
authenticate If set, users must authenticate themselves via a password (or other means
of authentication) before they may run commands. This default may be
overridden via the PASSWD and NOPASSWD tags. This flag is on by default.
I want to execute sudo over ssh on remote servers and supply the password over standard input. The following code is in a shell script on a secured server with restricted access. The password is asked beforehand and the servers use all the same sudo password. The someaction can surely take some seconds to execute.
Here is the shell script extract:
read -s -p "please enter your sudo password" PASSWORD
ssh user#host1 -t "echo '$PASSWORD' | sudo -S someaction"
ssh user#host2 -t "echo '$PASSWORD' | sudo -S someaction"
My question: Is it safe to use echo with a pipe? And are here any security problems that might occur, like logging the echo result on the remote server, etc?
Maybe somebody has a better suggestion?
Note: I know other tools can do this, like ansible etc. I am not looking for another similar tool, just want to know whether using ssh/echo/sudo in the mentioned way is safe.
Yes!
As long as the command is running anybody that can view all processes can view that password, by running ps aux | grep echo:
root [..] zsh -c echo topsecret | sudo -C action
You could configure sudo to not ask the password for a specific task for a user, that would certainly increase security over this solution.