How to remote execute ssh command a sudo command without password
Solution 1
you can tell sudo to skip password for some command.
e.g. in /etc/sudoers
archemar ALL = (www-data) NOPASSWD: /bin/rm -rf /var/www/log/upload.*
this allow me to use
sudo -u www-data /bin/rm -rf /var/www/log/upload.*
as archemar without password.
Note that
sudo -u www-data rm -rf /var/www/log/upload.*
won't work (will ask a password) as rm
differ from /bin/rm
. (*)
Be sure to edit /etc/sudoers
using visudo
command.
Once you've reach advanced level, you might whish to have your own sudo files in /etc/sudoers.d
.
(*) this change in modern OS (redhat 7.x circa 2022) if rm
in your path match /bin/rm
in sudoers.conf
you might use rm
.
Solution 2
The most simple way is to provide password from stdin
if your sudo
supports that (-S key)
ssh -t admin@remotehost "echo <yourpassword> |sudo -S <yourcommand>"
Solution 3
If the accounts are linked somehow it makes no sense to allow ssh for one and not the other. Here is what I would do instead:
- enable ssh for root, allowing only access with ssh keys and not with a password
- create a new key that will be used only for your specific command
- put the key and the command you need to execute in
authorized_keys
of root, so that as soon as a connection is made with this key, the command is launched.
This is secure because in that way the caller can not have a shell nor execute any other command (even if he provides one).
You can see an example here: https://stackoverflow.com/questions/402615/how-to-restrict-ssh-users-to-a-predefined-set-of-commands-after-login with the command=
syntax. You can also do the same thing by embedding the command in the certificate if you use certificates instead of keys, or do it globally using the configuration option ForceCommand
See http://larstobi.blogspot.com/2011/01/restrict-ssh-access-to-one-command-but.html for another example (which illustrates that you need to take into account parameters of your command)
Related videos on Youtube
izack
Updated on September 18, 2022Comments
-
izack over 1 year
I have a linux (debian based) server which is configured to allow SSH session to the user 'admin', but not the user 'root'. Both these accounts are linked somehow because they share the same password.
During an SSH session as admin, 'sudo' is required to run commands, unless I switch to the user 'root'.
I have some services on which I need to run now and then, or even at system startup. I'm currently using private/public key mechanism to remote execute commands on the server. Some of the commands are manually typed, others are shell scripts that I execute. Currently the server still asks for password when a command has uses sudo.
Question: How can remote execute as user 'admin' without supplying the password? Is it possible to use a private/public key to satisfy sudo? Or perhaps even a way to start shell scripts as the user 'root'?
Is it even possible to avoid having to type the password using sudo? If not, are they other alternatives for situation like mine?
-
Kusalananda over 6 yearsThis depends on the configuration of
sudo
on the remote host. -
Eugen Konkov about 5 years
-
-
izack over 6 yearsMy sudo does support the -S key. Good to know about this. I will keep this as an alternative. because generally I prefer avoiding to type my root password at all. But thanks for the input
-
izack over 6 yearsThis might just be what I'm looking for. I will have to put it to test and see.
-
izack over 6 yearsThis was a great input. Thank you so much. Luckily I discovered the dangers of editing that file before actually doing it. For future visitors, you MUST use the 'visudo' tool to edit, and be careful not to change the owner of the file or you risk lockout.
-
Patrick Mevzek over 6 yearsThis is bad because the password will be shown in many places (on screen, in process list, in history files)
-
izack over 6 yearsHi Patrick. I did some digging and I now believe the accounts aren't linked per-se but rather just share the same password. Changing 1, causes the other to change. But yes, it does not make sense when both share the same password, as getting hold of admin password will let you act as root anyway. Your solution sounds interesting. How do I setup a key that will be used only for specific command or commands? Any example or link to resource will be greatly appreciated.
-
Patrick Mevzek over 6 yearsI edited my answer with more info. Your case about one password for two accounts is strange. Are you sure they are not the same account? The name does not count, you have to compare their UID. Launch command
id
under both account and compare the result at beginning (uid=...
) -
izack over 6 yearsThanks for the resource. I checked the uid and they do not match. So definitely no the same account
-
somethingSomething about 5 years-1 This is bad because the password is seen by many places
-
Andrea about 4 yearsMaybe inserting the password inside an environment files makes this solution more acceptable. I.e.
ssh -t admin@remotehost "echo $YOUR_PASSWORD | sudo -S <yourcommand>"
, defining the aliasYOUR_PASSWORD
in the~/.bashrc
file.