I have a script in bash which connects to a host and on the remote host runs a script which needs root permissions.
I cannot directly login as root (and I don't want to do that) because of security problems.
I use the following script:
#!/bin/bash
ssh -tt user#host <<SSH
su - root
/tmp/script_with_root_permisions.sh
SSH
After running I get the following error:
user#hosts's password: #I type the ssh password for user "user"
And then:
tcgetattr: Inappropriate ioctl for device
Last login: Mon Feb 23 13:06:15 2015 from xxx.xxx.xxx.xxx
Password: And here the root password is shown as plain text and the script stops.
P.S: I run this script on Solaris NOT Linux. I saw some workarounds using sudo but in Solaris there is no sudo command.
Related
I'm trying to set some automation inside local network and started working with some shell scripting and something that I saw - very strange behaviour SSH inside script according to how script running(with or without sudo):
What I have:
ComputerA and ComputerB.
Inside ComputerA:
A shell script script.sh:
cp /dir1/file1 /dir2/file2
ssh username#ComputerB "sudo reboot"
/etc/ssh/ssh_config file with some configurations to work without ssh-keys (they always changes on ComputerB):
StrictHostKeyChecking no
UserKnownHostsFile=/dev/null
GlobalKnownHostsFile=/dev/null
Inside ComputerB:
In /etc/sudoers file:
username ALL=(ALL:ALL) NOPASSWD:ALL
When I connecting through SSH to ComputerA and running script.sh without sudo, I get permission error to write to /dir2 (it's OK) and next command on ComputerB executes normally (reboots ComputerB), but I'm running sudo script.sh. It copy file and then I got strange - SSH asks me username password. Tried different variants to change ssh command to something like:
ssh -t username#ComputerB "echo user_pass | sudo -S reboot"
but nothing helped.
So I need help to figure out what happens and what to do to execute sudo script.sh without entering password for ssh command inside.
Thanks!
Don't run script.sh with sudo on computerA; instead modify the script like so:
sudo cp /dir1/file1 /dir2/file2
ssh username#ComputerB "sudo reboot"
The reason that you're seeing the strange behaviour is that you're actually becoming root on computerA (I assume you have a keypair set-up for your regular user and expect to connect to computerB passwordless?), and that root on computerA doesn't have a keypair that computerB knows about.
My user is in root group. I canot ssh to server as root because is says Permission denied, please try again. What I usualy do is I ssh as my user and once I'm logged in i type sudo su and I proivde my user's password to become root.
I want to automate part of my job so I want to write a bash script which would ssh as my user, switch to root and then call set of commands.
So far I came with following script but I am unable to switch to root user without asking user for password:
while read p; do
p=$(echo $p|tr -d '\r')
sshpass -p "myPasswd" ssh -T -o StrictHostKeyChecking=no myUser#remoteServer << EOT
cd /var/log/jboss/ #here I am getting 'permission denied' message as only root has access
exit
EOT
done < $nodes
I also tried:
sshpass -p "myPasswd" ssh -tt -o StrictHostKeyChecking=no myUser#remoteServer 'cd /var/log/jboss/'
but I got the same permission denied error message
For security reasons, root users are typically not allowed ssh access.
PermitRootLogin no # value in /etc/ssh/sshd_config
The above setting is preventing you from logging in as root in the first place. If you are "comfortable" with you network's security, you can consider modifying that setting. If you ever make modifications to the sshd config, you'll need to restart the ssh service:
sudo service sshd restart
Of course, if you want to adhere to common wisdom, you may want to make changes to your sudoers file (as recommended by chepner and Nic3500). Here's a reasonable configuration change to make:
Add the following line to the bottom of your /etc/sudoers file:
#includedir /etc/sudoers.d
And add the following files to your /etc/sudoers.d directory:
cat /etc/sudoers.d/10_wheel:
%wheel ALL=(ALL) NOPASSWD: ALL
The above example configures sudo to allow access to all commands to members of the wheel group, without a password. You may want to change the group name to a group that your user is a member of.
You can determine your groups by issuing the command:
groups
Also, to avoid the use of sshpass, you can deploy ssh public keys to the remote host. Lastly, if you don't want to change the server at all, you can achieve what you are trying to do with expect. If you are comfortable with python coding, I recommend pexpect - I find it soooo much easier than the TCL based expect that is typically discussed.
I'm configuring a Icinga2 server and want it to run local scripts on external machines using the check_by_ssh plugin, and I encountered a strange issue. I've searched for an answer for few hours, but no luck.
My command object looks as follows:
object CheckCommand "check_procs" {
import "by_ssh"
vars.by_ssh_logname = "root"
vars.by_ssh_port = "22"
vars.by_ssh_command = "/tmp/test.sh"
vars.by_ssh_identity = "/etc/icinga2/conf.d/services/id_rsa.pub"
vars.by_ssh_ipv4 = "true"
vars.by_ssh_quiet = "true"
}
The content of test.sh is simply exit 0. I have a trust between my Icinga box and the remote machine I'm running the command at.
When I'm executing the command thru shell, it works
[root#icinga ~]# ssh root#10.10.10.1 -C "/tmp/test.sh"
[root#icinga ~]# echo $?
0
But when it is executed by the server, I see on my Icingaweb2 this output:
UNKNOWN - check_by_ssh: Remote command '/tmp/test.sh' returned status 255
Now I have added a touch success to test.sh script, in order to see if it is executed at all - but it seems it doesn't. That means when Icinga executes my script, it fails before even executing it.
Any clues what can it be? There are no many examples online either of check_by_ssh with Icinga2.
NOTE: Icinga uses root user to identify with the remote server. I know this is not best practice, but this is development env.
UPDATE: I think I have found the issue. The problem is that I'm trying to use root user to login the remote machine. This IS NOT supported, even with public key authentication. The script has to be executed with the user icinga
2nd Update: I got it works. The issue was keys authentication, the fact that icinga uses the user icinga to execute the command (even when using by_ssh_logname attribute) and the addition of vars.by_ssh_options = "StrictHostKeyChecking no"
My problem was that the used rsa key files wasn't owned by the "nagios" user:
-rw------- 1 nagios nagios 3.2K Nov 30 14:43 id_rsa
-rw-r--r-- 1 nagios nagios 766 Nov 30 14:42 id_rsa.pub
I've found the issues, there were few of them in my case.
Icinga used icinga user to login through SSH, even when I used -l root. So, to install ssh keys I had to execute ssh-copy-id icinga#HOST under root user (Icinga shell is set to /sbin/nologin)
I then copied the private key (again, of the root user) to icinga folder so it is accessible for the application, and changed the ownership of the file
Next, I tried to login using icinga user to the remote machine sudo -u icinga ssh icinga#HOST -i id_rsa
If step 3 fails, you need to figure it before you continue. Next thing I did was adding StrictHostKeyChecking no to the module options.
Voila, this works now.
This seems to be a popular question on stackoverflow but nothing seems to be working for me
I will explain my problems first and then go the the solutions I have tried
What I need to do is to ssh to serverB from serverA. for this I have set up an rsa encryption on the servers and I can successfully ssh to serverB
I use
ssh user#hostname
Now I want execute certain commands on serverB. The first one is to switch to app user. For this I need to run sudo su - app command but I also want to provide the password in the same line so that it doesnt prompt for the password again.
So I have tried to first directly run sudo su - app command on serverB with password to test it out
I have tried the following
echo "password" | sudo su - app
sudo -S <<< "password" su - app
echo "password" | sudo -S su - app
echo 'passowrd' | sudo 'su -c - app'
However none of the above solutions work for me.
The closest I could get was with
echo "password" | script -c "sudo su - app"
where it accepts the password and shows me
app#hostname [/app]
$
however when I run the command whoami it still shows me user instead of app. however when I directly run sudo su - app and the provide pass and then run whoami it gives me app
I am trying to run command with ssh like
ssh user#hostname -t 'echo "password" | script -c "sudo su - app"'
P.S. the user user doesnt have root access and also I cannot make use of any plugin as I don't have permission to do the same
My server is Redhat 6.2
I hope I could explain it properly. Looking for some answers that can help.
Sorry for my bad English. Thanks for help.
If we set up ssh using rsa key encryption then we don't need to use the password.
In order to enable ssh with public/private key I follow
Genrate the public/private key for user on serverA
ssh-keygen -t rsa
Go to .ssh/id_rsa.pub file and copy the public key
Login to ServerB and then do sudo su - app to change to app user. Here in the file .ssh/authorized_key copy the public key.
Try ssh to serverB now from serverA like
ssh app#hostnameServerB
It works without asking for a password.
I'd like to be able to sign into an ssh terminal and save the banner information, and immediately disconnect. For example i can ssh into my terminal with:
sshpass -p[PASSWORD] ssh -p 2201 [USER_NAME]#ipaddress
I get the following login welcome banner:
Linux 2.6.21 #1 PREEMPT Tue Feb 1 16:12:56 CST 2011
Site ID: xml
Last login: Wed Aug 3 09:25:29 2016 from 156.98.4.11
I can pipe the "last login" information with
sshpass -p[PASSWORD] ssh -p 2201 [USER_NAME]#ipaddress > lastlogin.txt
However, this doesn't save the rest of the banner and I still have to hit ctrl+d to disconnect. Any help would be appreciated.
The "login welcome banner" is motd (message of the day).
Motd message should be located located in /etc/motd and you should be able to copy it to your machine using scp command.
The command to do get motd would look something like:
sshpass -p [PASSWORD] scp -P [PORT] [USER_NAME]#[IP_OR_HOST]:/etc/motd lastlogin.txt
Nemanjas command is great, but be aware that the login banner isn't always located in the same file. On Ubuntu systems it's located in /etc/issue.net. The safest way would be to read the /etc/ssh/sshd_config file, where the Banner attribute is set.
grep Banner < /etc/ssh/sshd_config | cut -d' ' -f 2
Use this command to extract the file name.