-1

The requirement is to do ssh to the remote machine and execute sudo su - "wasadmin/user" -c "whoami" to know whether the user1 have the sudo access to the particular application user on the remote machine.

I tried with the following. But, something missing in my command. Please help me on the above scenario.

sshpass -p 'Password' ssh -o StrictHostKeyChecking=no UserName1@$iP \
    'echo "your password"|sudo -S su wasadmin -c "hostname"'
Jakuje
  • 24,773
  • 12
  • 69
  • 75
Shashikanth Bussa
  • 1
  • 3
  • 1
    You simply cannot "pipe" the password into the sudo command. That would be a mile wide security issue. – arkascha Jun 23 '16 at 07:57
  • What you _can_ do in such a case: use the `/etc/sudoers` file to "white list" single commands for usage without having to specify a password. Be very strict in the selection though, again because of security issues, obviously. – arkascha Jun 23 '16 at 07:59
  • I have a requirement to validate the sudo access to appuser on 1500 servers.So, i if i do manually it will take huge time. – Shashikanth Bussa Jun 23 '16 at 08:00
  • i can not white list for single user right and imagine white-list in 1500 servers for one time use is also a manual process. – Shashikanth Bussa Jun 23 '16 at 08:03
  • 1
    You might want to look at something like `expect` for that. Though to me the whole task sounds _very_ strange, actually. Why would one want to offer "`sudo` access" to _app users_? Then you might also publish the root password right on your internet page. – arkascha Jun 23 '16 at 08:03
  • iam not looking sudo access to appuser.The requirement is to validate the sudo access of a normal user to appuser. normaluser>sudo su - appuser. – Shashikanth Bussa Jun 23 '16 at 08:06
  • Sorry, still can't make any sense of that. But that does not change a thing. For very good reasons piping the password into `sudo` on the command line does not work, since it is not read from `stdin`. Nothing you can do about that. I mentioned an alternate approach further up, nothing more I can help with. – arkascha Jun 23 '16 at 08:25
  • need to test the following .sshpass -p "password" ssh -t user@IP "sudo su - root -c 'ifconfig|whoami'" – Shashikanth Bussa Jun 23 '16 at 08:32
  • Specifically what happens when you run the command listed in your question? BTW @arkascha you _can_ pipe passwords to sudo. The sudo "-S" option causes it to read the password from standard input. – Kenster Jun 23 '16 at 10:19
  • @Kenster When we run the above ...user will do ssh to the remote server there the user will do sudo su - wasadmin and execute command called hostname.and with the above we can confirm that the User have sudo access to the app user. – Shashikanth Bussa Jun 23 '16 at 10:30
  • @arkascha it is not a mile violation of using password on command line as.for so many automation scripts we pass password in text mode.the problem here is whether we can execute sudo su - appuser from remote server or not. – Shashikanth Bussa Jun 23 '16 at 10:32
  • @ShashikanthBussa You didn't really answer your question. You described what you want to do, and you included a command that appears to do that. But you say "something missing". Does the command not work? What does it do that's wrong? What should it do that it's not doing? – Kenster Jun 23 '16 at 11:14
  • The command i mentioned is for reference ...It able to do ssh to the remote server then it not able to perform the sudo su - wasadmin ..instead it throwing message "password incorrect" – Shashikanth Bussa Jun 23 '16 at 11:20
  • I would like to know the exact command which can full fill the requirement. it might be different from as i mentioned. – Shashikanth Bussa Jun 23 '16 at 11:21
  • Once more: you _cannot_ use a password in the command line call for `sudo`. There is no sense in asking again and again. I mentioned `expect` above which can be used for such things, but it is an ugly hack. If you do not want to look into that as I suggested twice, then sorry. – arkascha Jun 23 '16 at 13:00
  • And _yes_, it _is_ a huge security issue to specify a password on the command line out of two reasons: 1. everyone can read it in the process list and 2. it has to be stored somewhere which again makes it readable. That is one of the reasons why `ssh` prefers keys over passwords for example. – arkascha Jun 23 '16 at 13:02
  • @arkascha Yeah!!!you are true...Its huge security issue.But,In a script u can take user name and password as a parameter from the command line To avoid specifying in a file or on command line .so.that no one can came to know the password after you done with the work . I real we do not manually mention the user id password in a script .instead we make it as arguments with $1 and $2 so,that it script wont show the password and user name. – Shashikanth Bussa Jun 23 '16 at 13:07
  • You can indeed implement such scheme in a script - which only means that you _reopen_ the security issue the makers of `sudo` and `ssh` prevented with good intentions. The question is: _why should anyone do such thing?_ – arkascha Jun 23 '16 at 13:10
  • @arkascha Imagine that you need to validate whether you have sudo su - appuser acees in 200000 servers.How you validate .???do you really need to login to each and individual server and check it.???? – Shashikanth Bussa Jun 23 '16 at 13:13
  • That is a totally different question. The "but how can I now do what I want" will not change the way those utilities are implemented. Not even if you hold your breath and turn blue, sorry. You would do better to invest your time and effort into finding an alternative. Which apparently you do _not_ do. – arkascha Jun 23 '16 at 13:15
  • Apart from that: if you do have control over how these servers are set up, then you can _easily_ take care that a specific command is white listed in the `sudoers` file as suggested hours ago. Especially since those servers certainly are virtual, so puppeted appliences. I really doubt that you operated 200000 physical server systems. If you do _not_ have that control, then most likely your "200000" servers are a botnet or similar. In that case: let's just stop this discussion, _OK_? – arkascha Jun 23 '16 at 13:16
  • @arkascha Its not a different question...In my question itself i mention the same to validate the sudo access...Do you have any other solution apart from this..Which is not a security violation or do you login to no!!servers manually and do check .?Its not about 200000 or 2000 or 10.Its about the no!!servers and the time you put to validate .I do not have a puppet implemented in my environment neither we afford such kind of tools. – Shashikanth Bussa Jun 23 '16 at 13:19
  • Don't you read my comments? I mentioned _two_ alternatives: `expect` and `sudoers`. – arkascha Jun 23 '16 at 13:20

1 Answers1

0

With all of the usual caveat, i.e. - that storing plain text password is a horrible solution, you can do the following: sshpass -p password sudo ...

The mechanism ssh uses to get keyboard interactive passwords is exactly the same as the one used by sudo, and sshpass is equally effective.

Shachar Shemesh
  • 8,193
  • 6
  • 25
  • 57