How to run sudo commands remotely via ssh -t?
Maybe disabling the requiretty
option in sudoers
and running ssh
without the -t
flag (or with -T
) works.
Add something like this to sudoers
(untested):
Defaults:{your ssh user} !requiretty
Combine that with the NOPASSWD
you're already using and you should be able to run the sudo command without a pseudo-tty allocated.
You could also change requiretty
for the command instead of the user.
Related videos on Youtube
Alex Bonta
I am a systems administrator that loves Linux, Solaris, and all forms of open source software. I love them because of the freedom and creativity they provide to a systems administrator. I have an eclectic skillset and background that has gotten past employers out of some tough jams or gain competitive advantages. My natural creativity and drive for innovation has helped bring fresh insight to teams. I work hard, I share well, and hold myself to high ethical standards.
Updated on September 18, 2022Comments
-
Alex Bonta over 1 year
I have a script that logs into a remote host via
ssh -t
and usessudo service foo restart
.The requirement is to avoid the prompt for a password on the remote host. The remote host authenticates via SSH certificate. The
sudoers
file on the remote host allows that user to execute the service command withNOPASSWD
.However, during my tests, I'm prompted for a password and this is unacceptable. If I run this manually without the
-t
flag, it works. However the-t
flag throws everything off.Is there a way around this?
-
Admin almost 11 yearsWhat do the authentication logs say? Typically
auth.log
orsecure
in/var/log
. -
Admin almost 11 yearsAre you sure that
NOPASSWD
is set? Remember that only the last match insudoers
counts. Also remember that ifsudo
doesn't prompt you for a password, it can be because of the cache, so make sure to flush it before each test withsudo -k
. -
Admin over 7 yearsWhat is the contents of the
NOPASSWD
line? Why is-t
needed? Another option is to create a key for just that command, going directly to root , and use thecommand=""
parameter in theauthorized_keys
file. (passswordless SSH keys allowing for a full root login can be a huge security risk...)
-
-
Alex Bonta almost 11 yearsWe already have the ssh keys in their proper place. That part works. There's something about how ssh -t created a pseudotty that is affecting my ability to execute sudo commands where the user has NOPASSWD enabled. What's happening is that this script logs into a server, parses a list of severs that are our middleware servers, then does a ssh -t "sudo service middleware restart" operation via shell script. The problem is that when the script iterates through the list, user is prompted for password despite NOPASSWD set in the sudoers file.
-
Ragnar Lodbrog about 8 yearsBut you need key pair for it, if key pair with passphrase, you can use keychain