0

Greets all.

I need a 'basics-202' question answered; it's been a while.

From a cronjob, how do I automatically ssh to a remote box to retrieve information that normally requires root equivalence to see?

Details:

all of my boxes have

  1. root logins disabled via /etc/login.block.

  2. root login via ssh blocked in /etc/ssh/sshd_config: PermitRootLogin no

  3. all ssh logins are via pub/priv keypair. Manual passwords are disabled. PasswordAuthentication no

  4. I've set up a limited uid 'automate' with a keypair that is used for automated ssh connectivity tasks (for use in cron jobs, for example). 'automate' is obviously not a sudoer or in wheel or a group 0 userid.

All well and good (and probably incomplete, but that's another post).

But...

There are things that apparently require root equivalence to do, such as 'netstat -patn' to look at -all- tcp connections.

$ netstat -patn

(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (servers and established)

or

('apt-mirror' is hostname of remote box)

$ ssh apt-mirror netstat -patn
(No info could be read for "-p": geteuid()=1008 but you should be root.)
Active Internet connections (servers and established)

If your are in an interactive session, then to look at all tcp connections you type:

$ sudo netstat -patn

But I don't think this can be done over an automated ssh session. 

$ ssh -t apt-mirror sudo netstat -patn
[sudo] password for automate: <hangs here>

For a couple of reasons:

  1. sudo interactively wants the 'automate' password
  2. 'automate' is not a sudoer anyway.

I can probably mickeymouse something to do this, but I'd really rather do it right. (Is ssh even the right approach for this type of activity?) Question is, what is the proper way to do something like this?

Thanks!

user52874
  • 829
  • 2
  • 12
  • 26
  • sudo is often used to give wholesale root access to a user, but it's much more powerful than that. You can allow the 'automate' user to run just one command as root, without prompting for the password. – Sirex Apr 23 '13 at 23:57

2 Answers2

3

Edit /etc/sudoers (using visudo) on the remote server, and allow your automate user to run these sudo commands specifically, without prompting for a password.

You can't do "things that need root privileges" without root privileges.

TessellatingHeckler
  • 5,726
  • 3
  • 26
  • 44
0

From the examples you've given, you're doing some kind of monitoring, as opposed to performing actions (service httpd status vs service httpd restart)

Given your environment around the root restrictions, I would personally use something like Nagios NRPE to get the information you need. NRPE is designed to hand-out information while never offering any kind of potentially interactive session. You can define your own commands that are allowed to be executed by a remote host, and restrict which remote host(s) are allowed to.

In your examples, you could add something like:

command[all_net_conns]=/usr/bin/sudo /bin/netstat -patn

You would need to allow corresponding passwordless sudo access for the Nagios/NRPE user, but you can limit it to the commands required, and lock the account so no-one can actually access it.

The downside of course is that there is no username/password/keypair etc authentication or authorization around access, a host either can or can't access the NRPE service to obtain information.

fukawi2
  • 5,396
  • 3
  • 32
  • 51