3

I wanted to sudo to different user after ssh'ing into remote server, for this i tried the following:

cat remote-test.sh
ssh -t -t abcuser@test-server.net 'bash -s' << EOF
  /tmp/test.sh
EOF

when i execute the remote-test.sh from development-server.net, I wanted to ssh to test-server.net as abcuser and then sudo as xyzuser .

cat /tmp/test.sh

echo "password" | sudo -S su - xyzuser
cd /tmp/some/directory

Can someone please advice how to pass a password while doing sudo su in a script.

kumar
  • 133
  • 1
  • 3
  • With sudo-privileges, the command is executed as root; `sudo su [username]` shouldn't require a password. It would be the same as, while logged in as root, running `su [username]`. –  Jul 19 '12 at 20:27
  • 1
    as i may see you don't want to grant remote access to `xyzuser`. But what you're trying achieve is a bad practice. – triclosan Jul 19 '12 at 20:27
  • @newfurniturey you do get prompted for password when doing `sudo command` – c0mrade Jul 19 '12 at 20:46
  • 1
    @ant it depends on the sudo config, of course... Perhaps you should just configure sudo to allow the remote user to run that one command as the other user with NOPASSWD. See `man sudoers` for details. –  Jul 19 '12 at 20:48
  • @FatalError true story, I was referring to the default behavior (should have mentioned that perhaps). – c0mrade Jul 19 '12 at 20:51
  • any idea how to sudo to remote user(xyzuser) after i ssh as abcuser by passing the password along with the sudo command. –  Jul 19 '12 at 20:55
  • @phani, Hi. Did you find out the solution for this? Thank you in advance for responding –  Aug 01 '12 at 17:33

3 Answers3

2

You setup password-less ssh to localhost as user xyzuser for abcuser to achieve what you're trying. You'll need to add abcuser's public key as an authorized_key for xyzuser.

Then when you're logged in as abcuser, you can do:

ssh xyzuser@localhost do_something_as_xyzuser

If you've blocked ssh access to xyzuser, allow it only through loopback. If you're on linux, see your /etc/security/access.conf or equivalent on how to do that.

jman
  • 425
  • 2
  • 7
  • so you are basically suggesting to use private key. –  Jul 20 '12 at 03:53
  • Yes, that's what he's suggesting. Allowing your initial user to ssh directly to xyzuser@test-server.net via a pre-authorised keypair is a great deal less insecure than embedding passwords in scripts and trying to pass them to `sudo`. – MadHatter Jul 20 '12 at 11:14
  • OP does not have problems with accessing the server remotely, but needs to raise privileges *after* logging in. – pkhamre Jul 20 '12 at 11:38
  • 1
    @pkhamre, am just looking at the end goal. – jman Jul 20 '12 at 16:26
2

Drop using su and configure sudo with the correct permissions. That involves editing /etc/sudoers and adding entry for allowing a user to execute a command without providing a password.

You could either make it a bit advanced

User_Alias SCRIPT_USER johndoe
Cmnd_Alias SCRIPT_PATH /usr/local/bin/myscript.sh

SCRIPT_USER ALL = NOPASSWD: SCRIPT_PATH

Or acquire the same thing with a single line.

johndoe ALL = NOPASSWD: /usr/local/bin/myscript.sh
pkhamre
  • 6,120
  • 3
  • 17
  • 27
1

I highly suggest that you use the solution proposed by @pkhamre (properly configured sudoers file). It is the best option, and gives the administrator maximum control.

If that is not achievable then I suggest that you use the solution of @skjaidev (ssh authorized_keys). This does not require you to have admin permissions, only access to both accounts, so may be suitable for more cases.

But if for some reason neither of those solutions works for you...

Then you want to use expect for this. It's probably already on your machine. It's the standard tool for any kind of interactive command-line automation.

Zac Thompson
  • 1,033
  • 10
  • 10