-1

My script is coded in a way that doesn't allow you to connect to a server directly by root. This code basically copies files from a server to my computer and it works but I don't have access to many files because only root can access them. How can I connect to a server as a user and then copy its files by switching to root?

Code I want to change:

sshpass -p "password" scp -q -r username@74.11.11.11:some_directory copy_it/here/

In other words, I want to be able to remotely copy files which are only accessible to root on a remote server, but don't wish to access the remote server via ssh/scp directly as root.

Is it possible through only ssh and not sshpass?

Redson
  • 2,098
  • 4
  • 25
  • 50
  • Do you have the option of creating a wheel group on the server that is granted access to the files you need? – S. Ahn May 29 '14 at 20:50
  • I'm a beginner with bash scripting so I don't know what creating a wheel group is – Redson May 29 '14 at 20:51
  • It's a group with root-like privileges so that you can grant certain access without giving full root privileges. I don't know why I asked because I don't even know if it would help in your situation. – S. Ahn May 29 '14 at 20:53
  • I dont think it helps in my case because only one person is running this, not a group? Sorry if i'm misunderstanding something – Redson May 29 '14 at 20:56
  • @sashoalm Read the question again. It was a programming question but my structure was wrong. – Redson May 30 '14 at 20:39

1 Answers1

1

If I understand your question correctly, you want to be able to remotely copy files which are only accessible to root on the remote machine, but you don't wish to (or can't) access the remote machine via ssh/scp directly as root. And a separate question is whether it could be done without sshpass.

(Please understand that the solutions I suggest below have various security implications and you should weigh up the benefits versus potential consequences before deploying them. I can't know your specific usage scenario to tell you if these are a good idea or not.)

When you ssh/scp as a user, you don't have access to the files which are only accessible to root, so you can't copy all of them. So you need to instead "switch to root" once connected in order to copy the files.

"Switching to root" for a command is accomplished by prefixing it with sudo, so the approach would be to remotely execute commands which copy the files via sudo to /tmp on the remote machine, changes their owner to the connected user, and then remotely copy them from /tmp:

ssh username@74.11.11.11 "sudo cp -R some_directory /tmp"
ssh username@74.11.11.11 "sudo chown -R username:username /tmp/some_directory"
scp -q -r username@74.11.11.11:/tmp/some_directory copy_it/here/
ssh username@74.11.11.11 "rm -r /tmp/some_directory"

However, sudo prompts for the user's password, so you'll get a "sudo: no tty present and no askpass program specified" error if you try this. So you need to edit /etc/sudoers on the remote machine to authorize the user to use sudo for the needed commands without a password. Add these lines:

username ALL=NOPASSWD: /bin/cp
username ALL=NOPASSWD: /bin/chown

(Or, if you're cool with the user being able to execute any command via sudo without being prompted for password, you could instead use:)

username ALL=NOPASSWD: ALL

Now the above commands will work and you'll be able to copy your files.

As for avoiding using sshpass, you could instead use a public/private key pair, in which a private key on the local machine unlocks a public key on the remote machine in order to authenticate the user, rather than a password.

To set this up, on your local machine, type ssh-keygen. Accept the default file (/home/username/.ssh/id_rsa). Use an empty passphrase. Then append the file /home/username/.ssh/id_rsa.pub on the local machine to /home/username/.ssh/authorized_keys on the remote machine:

cat /home/username/.ssh/id_rsa.pub | ssh username@74.11.11.11 \
"mkdir -m 0700 -p .ssh && cat - >> .ssh/authorized_keys && \
chmod 0600 .ssh/authorized_keys"

Once you've done this, you'll be able to use ssh or scp from the local machine without password authorization.

Ivan X
  • 2,165
  • 16
  • 25