Automate Password on Bastion Host? - bash

My New Job requires me to gather some info from thousands of servers. However they have no sshkey setup. Everything is linked to LDAP password.
Setup is
{ Mac using ITerm2 } -->ssh with LDAP+2fA --> Bastion Host --> Connect to all servers but only with LDAP Password.
I dont want to keep typing LDAP passwords for each host I am trying to login. I am non-privilege user on Bastion Host. I cannot Install anything on Bastion like sshpass,expect,plink,
How to Automate entering password with below script with ssh options either in the script itself or Can we use Iterm to autofill when it prompts for password ?
#!/bin/bash
inFile=$1
user="zaib"
ssh_options="-o ConnectTimeout=5 -o ConnectionAttempts=1 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null"
read -r -d "" commands << EOF
#My Commands Here
uname -a;
netstat -rn;
EOF
log="remote_cmd_$inFile"
((c=1))
for srv in $(cat $inFile | awk -F, '{print $1}'); do
echo -n "$c: $srv " | tee -a $log
nohup ssh -qtt $ssh_options $user#$srv "sudo --bash -c '$commands'" 2>&1 | tee -a $log
((c=$c+1))
done

Related

Turn off the return message from the executed command

I'm developing a bash script, I've used ssh command in my bash script to run some commands on a remote server and I need to get the result from the command which runs on the remote server. so I wrote this code:
db="$(ssh -t user#host 'mysql --user=username -ppassword -e \"SHOW DATABASES;\" | grep -Ev \"(Database|information_schema|performance_schema)\"' | grep -Ev \"(mysql)\")"
But each time which I run my bash script, I will get Connection to host closed. in first of the db result. this is a default message from ssh command.
Also, If I use > /dev/null 2>&1 end of my command the db variable would be empty.
How can I turn off the return message from the executed command?
Like this :
#!/bin/bash
db=$(
ssh -t user#host bash<<EOF
mysql --user=username -ppassword -e "SHOW DATABASES" |
grep -Ev "(Database|information_schema|performance_schema|mysql)" \
2> >(grep -v 'Connection to host closed')
EOF
)
or if Connection to host closed comes from STDOUT :
...
mysql --user=username -ppassword -e "SHOW DATABASES" |
grep -Ev "(Database|information_schema|performance_schema|mysql|Connection to host closed)"
...

How to automatically ssh into server and su with password using bash script?

I need to ssh into a server and su with password within that server and then ssh into another server from there. I am not able to su with password after I ssh into my first server via bash script. Normally what I do in terminal is,
$ ssh server1
logged in to server1$ su user
password: ******
switched to corresponding user$ ssh server2
How can I automate this process by switching user with password in bash?
Have you tried this?
sshpass -f <(printf '%s\n' "yourpassword") ssh username#server "\"sshpass -f <(printf '%s\n' "yourpassword") ssh username#server"
Can sudo without password works for you?
ssh abc#$xyz "
echo '
set -vxe
# Your script here
' | sudo /bin/bash"

Weird output observed on executing ssh commands remotely over ProxyCommand

Team, I have two steps to perform:
SCP a shell script file to remote ubuntu linux machine
Execute this uploaded file on remote ubuntu linux machine over SSH session using PROXYCommand because I have bastion server in front.
Code:
scp -i /home/dtlu/.ssh/key.key -o "ProxyCommand ssh -i /home/dtlu/.ssh/key.key lab#api.dev.test.com -W %h:%p" /home/dtlu/backup/test.sh lab#$k8s_node_ip:/tmp/
ssh -o StrictHostKeyChecking=no -i /home/dtlu/.ssh/key.key -o 'ProxyCommand ssh -i /home/dtlu/.ssh/key.key -W %h:%p lab#api.dev.test.com' lab#$k8s_node_ip "uname -a; date;echo "Dummy123!" | sudo -S bash -c 'echo 127.0.1.1 \`hostname\` >> /etc/hosts'; cd /tmp; pwd; systemctl status cachefilesd | grep Active; ls -ltr /tmp/test.sh; echo "Dummy123!" | sudo -Sv && bash -s < test.sh"
Both calls above are working fine. I am able to upload test.sh and also its running but what is bothering me is during the process am observe weird output being thrown out.
output:
/tmp. <<< expected
[sudo] password for lab: Showing one
Sent message type=method_call sender=n/a destination=org.freedesktop.DBus object=/org/freedesktop/DBus interface=org.freedesktop.DBus member=Hello cookie=1 reply_cookie=0 error=n/a
Root directory /run/log/journal added.
Considering /run/log/journal/df22e14b1f83428292fe17f518feaebb.
Directory /run/log/journal/df22e14b1f83428292fe17f518feaebb added.
File /run/log/journal/df22e14b1f83428292fe17f518feaebb/system.journal added.
So, I don't want /run/log/hournal and other lines which don't correspond to my command in sh.
Consider adding -q to the scp and ssh commands to reduce the output they might produce. You can also redirect stderr and stdout to /dev/null as appropriate.
For example:
{
scp -q -i /home/dtlu/.ssh/key.key -o "ProxyCommand ssh -i /home/dtlu/.ssh/key.key lab#api.dev.test.com -W %h:%p" /home/dtlu/backup/test.sh lab#$k8s_node_ip:/tmp/
ssh -q -o StrictHostKeyChecking=no -i /home/dtlu/.ssh/key.key -o 'ProxyCommand ssh -i /home/dtlu/.ssh/key.key -W %h:%p lab#api.dev.test.com' lab#$k8s_node_ip "uname -a; date;echo "Dummy123!" | sudo -S bash -c 'echo 127.0.1.1 \`hostname\` >> /etc/hosts'; cd /tmp; pwd; systemctl status cachefilesd | grep Active; ls -ltr /tmp/test.sh; echo "Dummy123!" | sudo -Sv && bash -s < test.sh"
} >&/dev/null

How to make shell script to automatically input value

I'm trying to copy ssh public key to all hosts on my network with the following little script
#!/bin/bash
for ip in $(nmap -n -sn 192.0.2.0/24 -oG - | awk '/Up$/{print $2}'); do
ssh-copy-id vagrant#$ip
done
However, it asks for the password for each IP, which count is unknown until execution of the script. How to make this script to automatically enter the password (which in this case is same for all the hosts)?
Use the sshpass. Note that it is not a good idea to store passwords in the scripts, but it will do the job for the setup:
#!/bin/bash
for ip in $(nmap -n -sn 192.0.2.0/24 -oG - | awk '/Up$/{print $2}'); do
sshpass -p password ssh-copy-id vagrant#$ip
done

Ruby shell visibility

I am trying to shell out in Ruby to use SSH. I know there is an SSH module but I don't want to use it. I find it clunky and confusing.
I am able to shell out and use SSH very nicely. I have one complaint, however, that I was hoping someone could offer some suggestions.
In Bash I can do this:
echo "PASSWORD" | ssh SERVER "sudo -S cat /etc/sudoers"
and it will show up as this when I do a ps -ef:
USER 8212 8837 0 09:31 pts/7 00:00:00 ssh SERVER sudo -S cat /etc/sudoers
The password is NOT shown when doing a ps -ef.
When I do the same in ruby, it is echoing the password:
%x[echo "#{password}" | ssh -q -o BatchMode=yes SERVER "sudo -S cat /etc/sudoers 2>/dev/null"].split("\n")
Shows up on the server with ps -ef:
sh -c echo "PASSWORD" | ssh -q -o BatchMode=yes SERVER "sudo -S cat /etc/sudoers 2>/dev/null"
Try using Ruby's Open3.popen3 or Open3.capture3. But, I don't think it'll work because ssh doesn't accept the password from STDIN and will rewire the input to come from the keyboard, at least that's the behavior I've encountered on CentOS and Mac OS.
Here's some code to test it against:
require 'open3'
host = 'myhost'
user = 'myname'
password = 'mypassword'
stdin, stdout, stderr, wait_thr = Open3.popen3(ENV, %Q[ssh #{host} "cat /home/#{user}/.bash_profile"])
pid = wait_thr[:pid]
stdin.puts password
stdin.close
puts stdout.read
stdout.close
puts stderr.read
stderr.close
exit_status = wait_thr.value
Running it shows the ssh prompt, even though the password is "puts" on the stdin channel, followed by the output once I enter the password:
myname#myhost's password:
# .bash_profile
# Get the aliases and functions
if [ -f ~/.bashrc ]; then
. ~/.bashrc
fi
# User specific environment and startup programs
set editing-mode vi
# complete -W "$(echo $(grep '^ssh ' .bash_history | sort -u | sed 's/^ssh //'))" ssh
complete -W "$(echo $(grep '^ssh ' .bash_history | sort -u | sed 's/^ssh //' | sed 's/^.+#//'))" ssh
PATH=$HOME/bin:$PATH
export PATH
export PATH="$HOME/.rbenv/bin:$PATH"
eval "$(rbenv init -)"
While Net::SSH might be "clunky", it is designed to allow you to cleanly work around this behavior in ssh. We use Net::SSH extensively internally, and it's working really well for our needs.

Resources