I need to switch between two users using a shell script.
I used su and sudo for switching between users. The bottom line is that, it's prompting for user password every time, and I do not want that to happen.
I know the password; is there a way I can hard code it in the script itself, so that it will not prompt the user for a password?
Wouldn't a NOPASSWD clause in sudoers work? For example:
user1 ALL=(ALL:ALL) NOPASSWD: /bin/su user2
Allows user1 to su to user2 without password. If you only need to run a certain command as user2, add that to sudoers (through visudo) explicitly:
user1 ALL=(user2) NOPASSWD: /path/to/command
Then as user1 run:
sudo -k user2 /path/to/command
With the -S parameter sudo accepts the password from Standard Input. See: How to pass the password to su/sudo/ssh without overriding the TTY?
Related
This question already has answers here:
Pass commands as input to another command (su, ssh, sh, etc)
(3 answers)
Closed 1 year ago.
I wrote a short script that would ssh to a bunch of machines on a file called config that would iterate through the machines, ssh through them and create a new user on them. problem is - these commands require sudo privileges, and when I'm trying to execute sudo on them, I get a wrong password error, probably because sudo is not allowed over ssh? I'm not quite sure.
The code is as follows:
#!/bin/bash
read -p "enter remote admin username " adminuser
read -p "choose new username " newuser
read -p "choose new pass " newpass
while read -u10 HOST ; do ssh ${HOST} "uname -a" ;
sudo -S adduser --disabled-password --gecos "" $newuser
sudo -S chpasswd <<<"$newuser:$newpass"
sudo -S chown $newuser /home/$newuser
#sudo -S groupadd group
echo; echo "New user ${newuser} has been created on ${HOST}"
done 10< config.txt
It's worth to note I have set /etc/ssh/sshd_config PermitRootLogin to yes.
While we're at it, is there a way to minimize the amount of times i have to input my admin password? Right now I have to use it when I first ssh into the machine and when I execute a sudo command - so if I have 17 machines that's a minimum of 17 machines. I'd like to minimize that if possible.
Please do not set /etc/ssh/sshd_config PermitRootLogin to yes. No reason to play with fire unless necessary.
On the remote machine, use visudo to define a group like admin that never needs to enter a password in order to use sudo. Here are two lines from my /etc/sudoers file:
# Members of the admin group may gain root privileges
%admin ALL=(ALL) NOPASSWD: ALL
Then add the user id to that Linux user group and the script will run as root without prompts for sudo passwords:
$ usermod -a -G admin my_user_name
I have a shell script which I need to execute from server A which executes commands in Server B as well. But I can execute those commands only being a root user in server B.
Manually if I login to server B then I have to change the user to root and execute delete commands. To automate this I am trying to write a script and execute from server A, but it asks me for password. How do I add my password in the script? (Though it is not recommended), or please suggest if any other way to tackle this.
Add your username in /etc/sudoers with nopasswd to remove password prompt
$ visudo
user ALL=(ALL) NOPASSWD: ALL
You can use sshpass command with -p option
sshpass -p 'your_password' ssh root#your_host ls
refer manual of sshpass for more options
Was trying to figure out how to execute a sudo command with the password as a parameter.
echo mypassword | sudo -S command
was using this reference Use sudo with password as parameter
However, on OS X it keeps say "sudo: incorrect password attempt" however that passwords is correct.
what am i doing wrong?
As pointed out in the comments already, what you're doing is a very bad idea because it leaves the password of an account laying around. Instead, if you need to run a specific command with sudo from a script, you could -- and you should -- define that single command for one specific user in such a way that its execution is allowed without having to type in the password.
So, you should edit /etc/sudoers to include an entry for your specific user for that one, single, specific command with the tag NOPASSWD:
youruser yourhostname = (root) NOPASSWD: /some/path/your/command
Or if you really don't feel like typing in the hostname of your computer, then go for:
youruser ALL = (root) NOPASSWD: /some/path/your/command
That way you will possibly leak the ability of executing that one, single command as root instead of leaking your password and with it the possibility of running any commands as root.
I'm working on a script in which I need to change the user, i have sudo access, i tried something like below but without success.
echo $passwd | sudo -S su - oracle
I even tried installed ssshpass but no success with that either. Is that even possible or do I need to install something else to make this work?
Any idea
If you will run your script with root account, you can just
message="The cake is a lie"
su username -c 'echo $message'
If you will run your script with another user you have two ways to do that,
1) Configuring pam like bellow so when you run su user2 -c 'command' logged with user1, linux will not ask for password.
Add the following lines right below the pam_rootok.so line in your /etc/pam.d/su:
auth [success=ignore default=1] pam_succeed_if.so user = user2
auth sufficient pam_succeed_if.so use_uid user = user1
The first line makes sure the target user is user2. If it is, the next line will take control and succeed authorization if the calling user is user1.
If the target user is something else, the second line will be ignored and the usual authentication steps will be performed.
2) Write your script using expect as here
I'm wanting to make a simple program that runs each time on login behind the UI. In my applescript I'm running a sudo command that requires admin authentication. Is there a way to overwrite the need for authentication each time it runs? I don't want to have to type my username and password each time this script runs after login. any help? (and in very simple terms to as I'm a novice.)
Much Thanks!
You can put your username and password in the applescript command so that it doesn't ask for those credentials. However note that these items are stored as plain text inside the applescript and thus it's possible for others to see them. It's not really secure but it's up to you to decide if it's safe. NOTE: you don't need "sudo" in the command any longer.
do shell script "whatever" user name "username" password "password" with administrator privileges
There are methods where you can store your password in the Keychain and retrieve it from the applescript, thus making it secure. If you want to do that then you create the password item as follows.
Open Keychain Access application and select the keychain in the left column. Then click File>New Password Item..., give it a name, put your account shortname in account, and enter the password. Highlight it in the password list and get information on it. Under the Attributes button enter its kind as generic key. This is chosen because there aren't many of them and the search is much faster. Whatever name you give to it must be put in the code below in "Your Password Name".
Now from applescript you can use it like this...
set myPass to getPW()
do shell script "whatever" user name "username" password myPass with administrator privileges
on getPW()
do shell script "security 2>&1 >/dev/null find-generic-password -gl \"Your Password Name\" | awk '{print $2}'"
return (text 2 thru -2 of result)
end getPW
Good luck!
Another solution is editing the
etc/sudoers
configuration file.
A setting on that file can allow a specific user to execute a specific commands (with... yes... specific parameters) as super user.
If the command itself is not the problem, but the problem is exposing the password in the code then this may be the solution.
The sudores file should be edited running the command visudo as super user.
Before you start tampering with sudoers I strongly suggest you to get a basic knowledge of visudo and the sudoers syntax, as messing that file may causes serius issues to the system.
As you know what you are doing is just a matter of adding a couple of lines.
For information you may Google or start here http://www.sudo.ws/sudoers.man.html
If you want all Administrator accounts to be able to use the sudo command without entering a password, then do the following.
Change the line shown below in the /private/etc/sudoers file from
%admin ALL=(ALL) ALL
to
%admin ALL=(ALL) NOPASSWD: ALL
This edit can be accomplished, by using the Terminal and TextEdit applications. Open the Terminal application and type the following commands:
cd ~/desktop
sudo cp -n /etc/sudoers /etc/sudoers.orignal
sudo cp /etc/sudoers sudoers.txt
sudo chmod ug+w sudoers.txt
open sudoers.txt
visudo -c -f sudoers.txt
sudo cp -X sudoers.txt /etc/sudoers
When done, the sudoers.txt file on your desktop can be put in the trash.
To undo your changes, use the command:
sudo cp /etc/sudoers.original /etc/sudoers
This was tested using OS X 10.10.1
If you want to do the same for a single user then see:
http://hints.macworld.com/article.php?story=20021202054815892
Below is a brief explanation of what each command does:
cd ~/desktop
This makes sure you are working from your desktop folder.
sudo cp -n /etc/sudoers /etc/sudoers.original
This backups your sudoers file. The backup can be used to undo your changes. The -n option insures that an existing sudoers.original file will not be overwritten.
sudo cp /etc/sudoers sudoers.txt
Copies the sudoers file to your desktop. The .txt extension is added so OS X will know this is a text file.
sudo chmod ug+w sudoers.txt
Changes the file’s permissions to allow write access.
open sudoers.txt
Opens the file in the TextEdit application. You need to edit the file and save the changes.
visudo -c -f sudoers.txt
Checks the edited file for syntax errors. The output should be sudoers.txt: parsed OK.
sudo cp -X sudoers.txt /etc/sudoers
Copies the file back to the /etc directory.