I'm trying to use systemd-nspawn but when I launch it and try to login as root - it still asks for a password. They've mentioned turning off auditing - which I've done.
My cmd line says audit=0 at the end.
$ cat /proc/cmdline
BOOT_IMAGE=/vmlinuz-3.19.7-200.fc21.x86_64 root=/dev/mapper/fedora_localhost-root ro rd.lvm.lv=fedora_localhost/swap rd.lvm.lv=fedora_localhost/root rhgb audit=0 quiet
(This is fedora 21) Using these docs https://fedoraproject.org/wiki/Features/SystemdLightweightContainers
When I try to change the password it tells me I have a auth token manipulation error.
$ sudo systemd-nspawn -D /srv/eq1
Spawning container eq1 on /srv/eq1.
Press ^] three times within 1s to kill container.
-bash-4.3# passwd
Changing password for user root.
New password:
Retype new password:
passwd: Authentication token manipulation error
-bash-4.3#
it's about selinux context
almost following example 6 from http://www.freedesktop.org/software/systemd/man/systemd-nspawn.html
you have to change the container context and then run it with the proper one:
chcon system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -R /srv/container
systemd-nspawn -L system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -D /srv/container
after issuing the second command you'd be able to change password. Right after CTRL+]]] you can issue the usual "systemd-nspawn -bD /srv/container" and boot you container.
Related
My user is in root group. I canot ssh to server as root because is says Permission denied, please try again. What I usualy do is I ssh as my user and once I'm logged in i type sudo su and I proivde my user's password to become root.
I want to automate part of my job so I want to write a bash script which would ssh as my user, switch to root and then call set of commands.
So far I came with following script but I am unable to switch to root user without asking user for password:
while read p; do
p=$(echo $p|tr -d '\r')
sshpass -p "myPasswd" ssh -T -o StrictHostKeyChecking=no myUser#remoteServer << EOT
cd /var/log/jboss/ #here I am getting 'permission denied' message as only root has access
exit
EOT
done < $nodes
I also tried:
sshpass -p "myPasswd" ssh -tt -o StrictHostKeyChecking=no myUser#remoteServer 'cd /var/log/jboss/'
but I got the same permission denied error message
For security reasons, root users are typically not allowed ssh access.
PermitRootLogin no # value in /etc/ssh/sshd_config
The above setting is preventing you from logging in as root in the first place. If you are "comfortable" with you network's security, you can consider modifying that setting. If you ever make modifications to the sshd config, you'll need to restart the ssh service:
sudo service sshd restart
Of course, if you want to adhere to common wisdom, you may want to make changes to your sudoers file (as recommended by chepner and Nic3500). Here's a reasonable configuration change to make:
Add the following line to the bottom of your /etc/sudoers file:
#includedir /etc/sudoers.d
And add the following files to your /etc/sudoers.d directory:
cat /etc/sudoers.d/10_wheel:
%wheel ALL=(ALL) NOPASSWD: ALL
The above example configures sudo to allow access to all commands to members of the wheel group, without a password. You may want to change the group name to a group that your user is a member of.
You can determine your groups by issuing the command:
groups
Also, to avoid the use of sshpass, you can deploy ssh public keys to the remote host. Lastly, if you don't want to change the server at all, you can achieve what you are trying to do with expect. If you are comfortable with python coding, I recommend pexpect - I find it soooo much easier than the TCL based expect that is typically discussed.
I am trying to automate the running of several tasks, but I need to run them as sudo.
I want to run them in separate terminals so I can watch the output of each.
Here is a sort of minimal example I have setup (because what I am trying to do is more complicated)
Setup two files - note that data is readable as root only and contains 3 lines of example text:
-rw------- 1 root root 33 Nov 15 09:29 data
-rwxrwxrwx 1 root root 11 Nov 15 09:30 test.sh*
test.sh looks like:
#!/bin/bash
cat data
read -p "Press enter to continue"
Also I have user level variable called "SESSION_MANAGER" that is setup in the bash startup... which seems to cause some issues (see later example)
So now I want to spawn various terminals running this script. I tried the following:
Attempt 1
xfce4-terminal -e './test.sh'
output:
cat: data: Permission denied
Press enter to continue
Attempt 2 - using sudo at the start
~/src/sandbox$ sudo xfce4-terminal -e './test.sh'
Failed to connect to session manager: Failed to connect to the session manager: SESSION_MANAGER environment variable not defined
(xfce4-terminal:6755): IBUS-WARNING **: The owner of /home/openbts/.config/ibus/bus is not root!
output:
this is some data
more data
end
Press enter to continue
here you can see that the output of the data file is print ok, but I had some issue with the session manager variable.
Attempt 3 - using sudo in the command
~/src/sandbox$ xfce4-terminal -e 'sudo ./test.sh'
output:
[sudo] password for openbts:
this is some data
more data
end
Press enter to continue
here you can see that everything was well... but I had to enter my password again, which somewhat kills my automation :(
Attempt 4 - start as root
~/src/sandbox$ sudo su
root#openbts:/home/openbts/src/sandbox# xfce4-terminal -e './test.sh'
Failed to connect to session manager: Failed to connect to the session manager: SESSION_MANAGER environment variable not defined
output:
this is some data
more data
end
Press enter to continue
Here, again the output looks good, but I have this SESSION_MANAGER issue... Also the new xfce4-terminal comes out with messed up font/look - I guess this is the root users settings.
Questions
How can I run multiple instances of test.sh each in a new terminal and not have to enter passwords (or interact at all). I can enter the password once at the start of the process (in the original terminal)?
As you can see I got this sort-of working when going in a sudo su, but this issues here are the SESSION_MANAGER variable - not sure if that is an issue, but its very messy looking, but also the xcfe4-terminal looks bad (I guess I can change the root settings to the same as my user settings). So how can I avoid the SESSION_MANAGER issue when running as root?
If you change user-id before you launch your separate terminal, you will see the session-manager issue. So the solution is to run the sudo in the terminal.
You do not want to type passwords in the sudo. You can do that by adding
yourname ALL=(ALL) NOPASSWD: ALL
to /etc/sudoers (at least on slackware). You could also try to set the permissions on the files correct so you would not need root all the time.
Note that adding that line has security implications; you might want to allow just cat without password (in your example), or make even more elaborate rules for sudo. The line I gave is just an example. Personally, I would look at file-permissions.
This seems to be a popular question on stackoverflow but nothing seems to be working for me
I will explain my problems first and then go the the solutions I have tried
What I need to do is to ssh to serverB from serverA. for this I have set up an rsa encryption on the servers and I can successfully ssh to serverB
I use
ssh user#hostname
Now I want execute certain commands on serverB. The first one is to switch to app user. For this I need to run sudo su - app command but I also want to provide the password in the same line so that it doesnt prompt for the password again.
So I have tried to first directly run sudo su - app command on serverB with password to test it out
I have tried the following
echo "password" | sudo su - app
sudo -S <<< "password" su - app
echo "password" | sudo -S su - app
echo 'passowrd' | sudo 'su -c - app'
However none of the above solutions work for me.
The closest I could get was with
echo "password" | script -c "sudo su - app"
where it accepts the password and shows me
app#hostname [/app]
$
however when I run the command whoami it still shows me user instead of app. however when I directly run sudo su - app and the provide pass and then run whoami it gives me app
I am trying to run command with ssh like
ssh user#hostname -t 'echo "password" | script -c "sudo su - app"'
P.S. the user user doesnt have root access and also I cannot make use of any plugin as I don't have permission to do the same
My server is Redhat 6.2
I hope I could explain it properly. Looking for some answers that can help.
Sorry for my bad English. Thanks for help.
If we set up ssh using rsa key encryption then we don't need to use the password.
In order to enable ssh with public/private key I follow
Genrate the public/private key for user on serverA
ssh-keygen -t rsa
Go to .ssh/id_rsa.pub file and copy the public key
Login to ServerB and then do sudo su - app to change to app user. Here in the file .ssh/authorized_key copy the public key.
Try ssh to serverB now from serverA like
ssh app#hostnameServerB
It works without asking for a password.
Was trying to figure out how to execute a sudo command with the password as a parameter.
echo mypassword | sudo -S command
was using this reference Use sudo with password as parameter
However, on OS X it keeps say "sudo: incorrect password attempt" however that passwords is correct.
what am i doing wrong?
As pointed out in the comments already, what you're doing is a very bad idea because it leaves the password of an account laying around. Instead, if you need to run a specific command with sudo from a script, you could -- and you should -- define that single command for one specific user in such a way that its execution is allowed without having to type in the password.
So, you should edit /etc/sudoers to include an entry for your specific user for that one, single, specific command with the tag NOPASSWD:
youruser yourhostname = (root) NOPASSWD: /some/path/your/command
Or if you really don't feel like typing in the hostname of your computer, then go for:
youruser ALL = (root) NOPASSWD: /some/path/your/command
That way you will possibly leak the ability of executing that one, single command as root instead of leaking your password and with it the possibility of running any commands as root.
I am using below command to open putty through windows command prompt:
PUTTY.EXE -ssh -pw "mypass" user#IP -m C:/my.sh -t
Where my.sh mentioned in above command file contains:
sudo su - rootuser
After executing the command, putty console is opened and it prompts for password.
Is there any way where I can provide this password automatically without typing it?
There's a bit of a horrible workaround using Expect and embedding a password.
This is a bad idea.
As an alternative:
Configure sudo to allow NOPASSWD.
Login directly as root using public-private key auth.
Both these introduce a degree of vulnerability, so should be used with caution - but any passwordless auth has this flaw.
Finally, after struggling for almost whole day, I got the way to get this working.
Below command can be executed from windows machine:
PLINK.EXE -t -ssh -pw "password" user#IP /home/mydir/master.sh
master.sh file is located on remote machine. And this file contains below command to execute script with sudo command without prompting password.
echo password | sudo u user -S script.sh
Here, password should be replaced with your password. user should be replaced with your actual user and script.sh is the script on remote machine that you want to fire after sudo login.