Completely off topic, but I'm sure someone out there is using scripts that require a sudo password of some sort, so I'll ask.
What are people doing to automate tasks that required sudo passwords in order to run? sudo without a password is not an option for me, but I would like to be able to enter the password once have it saved and then read back when sudo is required.
something like
run_on_all_hosts perform_sudo_command script prompts for password script lauches on all hosts and passes password when required.
Any examples?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 11/14/07, James A. Peltier wrote:
Completely off topic, but I'm sure someone out there is using scripts that require a sudo password of some sort, so I'll ask.
What are people doing to automate tasks that required sudo passwords in order to run? sudo without a password is not an option for me, but I would like to be able to enter the password once have it saved and then read back when sudo is required.
something like
run_on_all_hosts perform_sudo_command script prompts for password script lauches on all hosts and passes password when required.
Any examples?
- From the man page:
-S The -S (stdin) option causes sudo to read the password from the standard input instead of the terminal device.
Keep in mind this is still a VERY bad idea. Anyone can see the password just by using the ps command.
What I've done before is, on the remote host, set up a script that runs periodically through cron or as a daemon that looks for files in a particular directory. The non-root user on the local machine only has access to scp some files into their home directory on the remote host. So I would just have the remote host watch for files to appear in this directory and then act accordingly.
- -- Andy Harrison public key: 0x67518262
On Wed November 14 2007 14:41, James A. Peltier wrote:
Completely off topic, but I'm sure someone out there is using scripts that require a sudo password of some sort, so I'll ask.
What are people doing to automate tasks that required sudo passwords in order to run? sudo without a password is not an option for me, but I would like to be able to enter the password once have it saved and then read back when sudo is required.
Question for you then, why is sudo without a password not an option?
Check the man pages of sudoers. It is possible to setup a sudo user that is only allowed to run a set of command. This in effect only allows the user to run that one program (or as many as you setup) as sudo and no other.
This has to be better then reading a password file that is lying around on a disk somewhere.
Any examples?
Plenty in the man pages.
Robert Spangler wrote:
On Wed November 14 2007 14:41, James A. Peltier wrote:
Completely off topic, but I'm sure someone out there is using scripts that require a sudo password of some sort, so I'll ask.
What are people doing to automate tasks that required sudo passwords in order to run? sudo without a password is not an option for me, but I would like to be able to enter the password once have it saved and then read back when sudo is required.
Question for you then, why is sudo without a password not an option?
Because it makes the maintanance of our already very large sudoers file that much more complex. Many of my users want to be able to do this not just one or two. They want to do it for various tasks not just some subset of tasks (ie sudo which is outlined here). I probably should have been more precise
Check the man pages of sudoers. It is possible to setup a sudo user that is only allowed to run a set of command. This in effect only allows the user to run that one program (or as many as you setup) as sudo and no other.
I was already well aware of that option but it doesn't work here.
This has to be better then reading a password file that is lying around on a disk somewhere.
The password would not be kept on disk as was pointed out in my first e-mail. The user would be prompted *once* for the password which would then be passed to any number of tasks. A good example would be a clusterssh session that requires a password to authenticate against some software such as sudo.
I think I'm going to have to look into expect or python-pexpect to accomplish what I want, but thought I would just put it out there to see what others are doing or have done.
How about using ssh with certificate authenitication instead of sudo?
Sent from my BlackBerry wireless handheld.
-----Original Message----- From: "James A. Peltier" jpeltier@cs.sfu.ca
Date: Wed, 14 Nov 2007 17:04:46 To:CentOS mailing list centos@centos.org Subject: Re: [CentOS] OT: Scripting with sudo password
Robert Spangler wrote:
On Wed November 14 2007 14:41, James A. Peltier wrote:
Completely off topic, but I'm sure someone out there is using scripts that require a sudo password of some sort, so I'll ask.
What are people doing to automate tasks that required sudo passwords in order to run? sudo without a password is not an option for me, but I would like to be able to enter the password once have it saved and then read back when sudo is required.
Question for you then, why is sudo without a password not an option?
Because it makes the maintanance of our already very large sudoers file that much more complex. Many of my users want to be able to do this not just one or two. They want to do it for various tasks not just some subset of tasks (ie sudo which is outlined here). I probably should have been more precise
Check the man pages of sudoers. It is possible to setup a sudo user that is only allowed to run a set of command. This in effect only allows the user to run that one program (or as many as you setup) as sudo and no other.
I was already well aware of that option but it doesn't work here.
This has to be better then reading a password file that is lying around on a disk somewhere.
The password would not be kept on disk as was pointed out in my first e-mail. The user would be prompted *once* for the password which would then be passed to any number of tasks. A good example would be a clusterssh session that requires a password to authenticate against some software such as sudo.
I think I'm going to have to look into expect or python-pexpect to accomplish what I want, but thought I would just put it out there to see what others are doing or have done.
-- James A. Peltier Technical Director, RHCE SCIRF | GrUVi @ Simon Fraser University - Burnaby Campus Phone : 778-782-3610 Fax : 778-782-3045 Mobile : 778-840-6434 E-Mail : jpeltier@cs.sfu.ca Website : http://gruvi.cs.sfu.ca | http://scirf.cs.sfu.ca MSN : subatomic_spam@hotmail.com _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
gjgowey@tmo.blackberry.net wrote:
How about using ssh with certificate authenitication instead of sudo?
That's great for SSH, I already do that, but if I ssh to a system and then type sudo it prompts me for a password. I want something like this
ssh_and_sudo_on_all_hosts this script prompts for passwords and provides passwords to all ssh or sudo sessions
ssh => some_host uses keys/certificates whatever so no password
sudo do_some_command (prompts for password) password entered at start of ssh_and_sudo_on_all_hosts is passed to sudo and sudo runs.
On Wed, Nov 14, 2007 at 05:13:37PM -0800, James A. Peltier alleged:
gjgowey@tmo.blackberry.net wrote:
How about using ssh with certificate authenitication instead of sudo?
That's great for SSH, I already do that, but if I ssh to a system and then type sudo it prompts me for a password. I want something like this
ssh_and_sudo_on_all_hosts this script prompts for passwords and provides passwords to all ssh or sudo sessions
ssh => some_host uses keys/certificates whatever so no password
sudo do_some_command (prompts for password) password entered at start of ssh_and_sudo_on_all_hosts is passed to sudo and sudo runs.
The solution is password-less authentication. Kerberos, ssh keys, sudo, etc. But you don't seem to want to do those things.
So do exactly as you've already mentioned, use expect, prompt for a password, and feed the passord to remote shells as required.
James A. Peltier wrote:
gjgowey@tmo.blackberry.net wrote:
How about using ssh with certificate authenitication instead of sudo?
That's great for SSH, I already do that, but if I ssh to a system and then type sudo it prompts me for a password. I want something like this
ssh_and_sudo_on_all_hosts this script prompts for passwords and provides passwords to all ssh or sudo sessions
ssh => some_host uses keys/certificates whatever so no password
sudo do_some_command (prompts for password) password entered at start of ssh_and_sudo_on_all_hosts is passed to sudo and sudo runs.
Sorry, I keep using sudo as an example, please consider it substituted for anything that requires a password.
gjgowey@tmo.blackberry.net wrote:
The password would not be kept on disk as was pointed out in my first e-mail. The user would be prompted *once* for the password which would then be passed to any number of tasks. A good example would be a clusterssh session that requires a password to authenticate against some software such as sudo.
Why don't you ssh the command directly as the user that will execute it instead of sshing as one user and then changing users on the remote side via sudo?
You can use expect man expect. You can also export ssh key of regular user to do remote then su to root put everything on expect.
On 11/14/07, James A. Peltier jpeltier@cs.sfu.ca wrote:
Completely off topic, but I'm sure someone out there is using scripts that require a sudo password of some sort, so I'll ask.
What are people doing to automate tasks that required sudo passwords in order to run? sudo without a password is not an option for me, but I would like to be able to enter the password once have it saved and then read back when sudo is required.
something like
run_on_all_hosts perform_sudo_command script prompts for password script lauches on all hosts and passes password when required.
Any examples?
-- James A. Peltier Technical Director, RHCE SCIRF | GrUVi @ Simon Fraser University - Burnaby Campus Phone : 778-782-3610 Fax : 778-782-3045 Mobile : 778-840-6434 E-Mail : jpeltier@cs.sfu.ca Website : http://gruvi.cs.sfu.ca | http://scirf.cs.sfu.ca MSN : subatomic_spam@hotmail.com _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-
Andy Harrison -
Garrick Staples -
gjgowey@tmo.blackberry.net -
James A. Peltier -
Les Mikesell -
Robert Spangler -
thad