Best IT Recipes

The correct way to sudo over ssh

I have a script that runs another script via SSH on a remote server using sudo. However, when I type in the password, it is displayed on the terminal. (Otherwise, it works fine)

ssh user@server "sudo script"

What is the correct way to do this so that I can enter the password for sudo via SSH without the password appearing as I type?

+133
ssh sudo
Apr 25 '12 at 6:15
source share
9 answers

Another way is to use the -t switch for ssh :

 ssh -t user@server "sudo script"

See man ssh :

  -t Force pseudo-tty allocation. This can be used to execute arbi- trary screen-based programs on a remote machine, which can be very useful, eg, when implementing menu services. Multiple -t options force tty allocation, even if ssh has no local tty.
+221
Apr 25 '12 at 9:18
source share

I was able to fully automate it with the following command:

 echo pass | ssh -tt user@server "sudo script"

Benefits:

  • no password request
  • will not show the password in the history of the remote machine

As for security: as Kurt said, when you run this command, your password will be displayed in your local bash history, and it’s better to save the password in another file or save the all command in the .sh file. and execute it. NOTE. The file must have the correct permissions so that only authorized users can access it.

+11
Nov 07 '18 at 12:25
source share

Assuming you don't want to ask for a password :

 ssh $HOST 'echo $PASSWORD | sudo -S $COMMMAND'
Example

Example

 ssh me@localhost 'echo secret | sudo -S echo hi' # outputs 'hi'
+4
Jan 28 '18 at 19:46
source share

Sudo via SSH with password passing, tty is not required:

You can use sudo on top of ssh without forcing ssh to have a pseudo -t (without using the ssh "-t" switch), telling sudo not to require an interactive password and just get the password from standard input. This can be done using the "-S" switch on sudo. This causes sudo to listen on the password in stdin and stop listening when it sees a new line.

Example 1. A simple remote command

In this example, we send a simple whoami :

 $ ssh user@server cat \| sudo --prompt="" -S -- whoami << EOF > <remote_sudo_password> root

We tell sudo not to issue an invitation and accept it from stdin. This makes sending the sudo password completely silent, so the only answer you get is the output from whoami .

The advantage of this method is that you can run programs through sudo via ssh, which themselves require stdin. This is because sudo uses the password in the first line of standard input, and then allows any program in which it runs to continue capturing standard input.

Example 2 - A remote command that requires its own standard input

In the following example, the remote "cat" command is executed via sudo, and we provide several additional lines via stdin to be displayed by the remote cat.

 $ ssh user@server cat \| sudo --prompt="" -S -- "cat" << EOF > <remote_sudo_password> > Extra line1 > Extra line2 > EOF Extra line1 Extra line2

The output demonstrates that the string <remote_sudo_password> used by sudo, and that the remotely executed cat displays additional lines.

An example of where this might be useful is if you want to use ssh to pass the password to the privileged command without using the command line. Say if you want to mount a remote encrypted container on top of ssh.

Example 3. Mounting a VeraCrypt Remote Container

In this sample script, we remotely mount the VeraCrypt container via sudo without any additional help text:

 #!/bin/sh ssh user@server cat \| sudo --prompt="" -S -- "veracrypt --non-interactive --stdin --keyfiles=/path/to/test.key /path/to/test.img /mnt/mountpoint" << EOF SudoPassword VeraCryptContainerPassword EOF

It should be noted that in all the above command line examples (everything except the script), the << EOF construct on the command line will lead to writing everything typed, including the password, to the local .bash_history computer. Therefore, it is highly recommended that you use either completely, through a script, as in the example with veracrypt above, or, if on the command line, put the password in a file and redirect this file through ssh.

Example 1a - Example 1 without a local command line password

Thus, the first example would be:

 $ cat text_file_with_sudo_password | ssh user@server cat \| sudo --prompt="" -S -- whoami root

Example 2a - Example 2 without a local command line password

and a second example would be:

 $ cat text_file_with_sudo_password - << EOF | ssh va1der.net cat \| sudo --prompt="" -S -- cat > Extra line1 > Extra line2 > EOF Extra line1 Extra line2

It is not necessary to put the password in a separate file if you put all this into a script, since the contents of the scripts do not fall into your history. However, this can be useful if you want to allow users who do not see the password to execute the script.

+2
Nov 19 '18 at 2:18
source share

NOPASS in the configuration on your target machine is the solution. Continue reading http://maestric.com/doc/unix/ubuntu_sudo_without_password

0
Apr 25 '12 at 6:25
source share

The best way is ssh -t user@server "sudo <scriptname>" , for example ssh -t user@server "sudo reboot" . First, the password for the user will be requested, and then root (since we are running a script or command with root privileges.

I hope this helps and clears your doubts.

0
Dec 01 '16 at 15:20
source share
 echo $VAR_REMOTEROOTPASS | ssh -tt -i $PATH_TO_KEY/id_mykey $VAR_REMOTEUSER@$varRemoteHost echo \"$varCommand\" | sudo bash
0
Sep 13 '19 at 22:38
source share

I ran into a problem

 user1@server1$ ssh -q user1@server2 sudo -u user2 rm -f /some/file/location.txt Output: sudo: no tty present and no askpass program specified

Then i tried with

 #1 vim /etc/sudoers Defaults:user1 !requiretty

does not work

 #2 user1 ALL=(user2) NOPASSWD: ALL

it worked correctly!

-one
Jul 17 '18 at 5:04
source share

Depending on your use, I have had success with the following:

 ssh root@server "script"

This will cause the root password and then execute the command correctly.

-6
Aug 07 '13 at 16:43
source share


More articles:


All Articles