Tim Nelson Systems/Network Support Rockbochs Inc. (218)727-4332 x105
----- "Jeremy Rosengren" jeremy.rosengren@gmail.com wrote:
On Wed, Mar 3, 2010 at 3:36 PM, James Hogarth < james.hogarth@gmail.com > wrote:
On 3 March 2010 21:20, Tim Nelson < tnelson@rockbochs.com > wrote:
Greetings All-
I'm about to embark on some remote management testing and need a way to login to a remote system running CentOS 4.x/5.x via SSH, su to root (using a password), then execute a command.
I currently login to the boxes using key based SSH like this:
ssh -i ~/remote_key admin@$REMOTEIP
Then, I SU to root. However, if I try to do this automatically like this:
ssh -i ~/remote_key admin@$REMOTEIP 'su -l'
I'm getting:
"standard in must be a tty"
So, how am I able to remote login using SSH, su to root, then execute a command as root?
All comments and suggestions welcome. Thanks!
--Tim _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Best off configuring sudo for that user (with no password) and make sure that user has !requiretty in the sudoers configuration.
James
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Does "ssh -t" help?
YESS. It prevents the tty error from showing up and asks me for a password as expected. BUT, how do I then automate the entering of the password?
John Kennedy mentioned using expect which I've used before but found it to be 'finnicky'. I may have to look at it again...
Changing settings such as sudo configuration or ssh config may be daunting since I have a large number of systems(150+) that would need to be modified. :-/
--Tim
Tim Nelson wrote:
YESS. It prevents the tty error from showing up and asks me for a password as expected. BUT, how do I then automate the entering of the password?
John Kennedy mentioned using expect which I've used before but found it to be 'finnicky'. I may have to look at it again...
Changing settings such as sudo configuration or ssh config may be daunting since I have a large number of systems(150+) that would need to be modified. :-/
Just login as root with ssh keys?
If you needed to somehow block brute force cracking attacks against the root account either globally disable password auth, or it appears you can use the option "PermitRootLogin without-password" to restrict remote root logins via SSH to keys only. I haven't tried this option myself.
nate
Tim Nelson wrote:
Tim Nelson Systems/Network Support Rockbochs Inc. (218)727-4332 x105
----- "Jeremy Rosengren" jeremy.rosengren@gmail.com wrote:
On Wed, Mar 3, 2010 at 3:36 PM, James Hogarth
<james.hogarth@gmail.com mailto:james.hogarth@gmail.com> wrote:
> On 3 March 2010 21:20, Tim Nelson <tnelson@rockbochs.com <mailto:tnelson@rockbochs.com>> wrote: > > Greetings All- > > > > I'm about to embark on some remote management testing and need a way to login to a remote system running CentOS 4.x/5.x via SSH, su to root (using a password), then execute a command. > > > > I currently login to the boxes using key based SSH like this: > > > > ssh -i ~/remote_key admin@$REMOTEIP > > > > Then, I SU to root. However, if I try to do this automatically like this: > > > > ssh -i ~/remote_key admin@$REMOTEIP 'su -l' > > > > I'm getting: > > > > "standard in must be a tty" > > > > So, how am I able to remote login using SSH, su to root, then execute a command as root? > > > > All comments and suggestions welcome. Thanks! > > > > --Tim > > _______________________________________________ > > CentOS mailing list > > CentOS@centos.org <mailto:CentOS@centos.org> > > http://lists.centos.org/mailman/listinfo/centos > > > > Best off configuring sudo for that user (with no password) and make > sure that user has !requiretty in the sudoers configuration. > > James > > _______________________________________________ > CentOS mailing list > CentOS@centos.org <mailto:CentOS@centos.org> > http://lists.centos.org/mailman/listinfo/centosDoes "ssh -t" help?
YESS. It prevents the tty error from showing up and asks me for a password as expected. BUT, how do I then automate the entering of the password?
John Kennedy mentioned using expect which I've used before but found it to be 'finnicky'. I may have to look at it again...
Changing settings such as sudo configuration or ssh config may be daunting since I have a large number of systems(150+) that would need to be modified. :-/
--Tim
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
I found that Python expect is far more logical and understandable for complex tasks than the expect command.
ChrisG
I used to manage ~150 Linux desktop and would have to do one off scripts to make updates. Fortunately I found Puppet and now I never have to do things like this any more but here's the Bash/Expect combo that I used to use:
chris$ ./mass_copy.sh:
#!/bin/sh export ROOTPW='secret1' export ADMINPW='secret2'
HIVES="machine1 machine2 machine3" for machine in $HIVES; do /path/to/script/get_root.exp $machine done
chris$ cat get_root.exp #!/usr/bin/expect -f
set timeout 40
spawn ssh [lrange $argv 0 0] expect "admin@$argv's password:" send "$env(ADMINPW)\n" expect "\$" send "exec su -\n" expect "Password: " send "$env(ROOTPW)\n" expect "#" send "/mnt/it_updates/update_something.sh\n" interact expect "\#" send "exit\n"
This was handed down to me by the sysadmin who was here before me and it worked great except sometimes it would not log out of each machine and I would have to babysit it and press CTRL-D after each run. It can easily be expanded on to suit your needs, and maybe someone in the mailing list can refine it, but if this is your job and you think there is even the remotest possibility that you would have to do this again, seriously look into Puppet, Func, mCollective, really anything is easier then doing it this way.
Chris
On 3/4/10 12:48 AM, Chris Geldenhuis wrote:
Tim Nelson wrote:
Tim Nelson Systems/Network Support Rockbochs Inc. (218)727-4332 x105
----- "Jeremy Rosengren"jeremy.rosengren@gmail.com wrote:
On Wed, Mar 3, 2010 at 3:36 PM, James Hogarth
<james.hogarth@gmail.commailto:james.hogarth@gmail.com> wrote:
> On 3 March 2010 21:20, Tim Nelson<tnelson@rockbochs.com <mailto:tnelson@rockbochs.com>> wrote: > > Greetings All- > > > > I'm about to embark on some remote management testing and need a way to login to a remote system running CentOS 4.x/5.x via SSH, su to root (using a password), then execute a command. > > > > I currently login to the boxes using key based SSH like this: > > > > ssh -i ~/remote_key admin@$REMOTEIP > > > > Then, I SU to root. However, if I try to do this automatically like this: > > > > ssh -i ~/remote_key admin@$REMOTEIP 'su -l' > > > > I'm getting: > > > > "standard in must be a tty" > > > > So, how am I able to remote login using SSH, su to root, then execute a command as root? > > > > All comments and suggestions welcome. Thanks! > > > > --Tim > > _______________________________________________ > > CentOS mailing list > > CentOS@centos.org<mailto:CentOS@centos.org> > > http://lists.centos.org/mailman/listinfo/centos > > > > Best off configuring sudo for that user (with no password) and make > sure that user has !requiretty in the sudoers configuration. > > James > > _______________________________________________ > CentOS mailing list > CentOS@centos.org<mailto:CentOS@centos.org> > http://lists.centos.org/mailman/listinfo/centosDoes "ssh -t" help?
YESS. It prevents the tty error from showing up and asks me for a password as expected. BUT, how do I then automate the entering of the password?
John Kennedy mentioned using expect which I've used before but found it to be 'finnicky'. I may have to look at it again...
Changing settings such as sudo configuration or ssh config may be daunting since I have a large number of systems(150+) that would need to be modified. :-/
--Tim
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
I found that Python expect is far more logical and understandable for complex tasks than the expect command.
ChrisG _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On 3/4/2010 10:16 AM, Chris Murphy wrote:
I used to manage ~150 Linux desktop and would have to do one off scripts to make updates. Fortunately I found Puppet and now I never have to do things like this any more but here's the Bash/Expect combo that I used to use:
chris$ ./mass_copy.sh:
#!/bin/sh export ROOTPW='secret1' export ADMINPW='secret2'
HIVES="machine1 machine2 machine3" for machine in $HIVES; do /path/to/script/get_root.exp $machine done
chris$ cat get_root.exp #!/usr/bin/expect -f
set timeout 40
spawn ssh [lrange $argv 0 0] expect "admin@$argv's password:" send "$env(ADMINPW)\n" expect "\$" send "exec su -\n" expect "Password: " send "$env(ROOTPW)\n" expect "#" send "/mnt/it_updates/update_something.sh\n" interact expect "\#" send "exit\n"
This was handed down to me by the sysadmin who was here before me and it worked great except sometimes it would not log out of each machine and I would have to babysit it and press CTRL-D after each run. It can easily be expanded on to suit your needs, and maybe someone in the mailing list can refine it, but if this is your job and you think there is even the remotest possibility that you would have to do this again, seriously look into Puppet, Func, mCollective, really anything is easier then doing it this way.
What's the problem with key-based ssh directly as root?
----- "Les Mikesell" lesmikesell@gmail.com wrote:
What's the problem with key-based ssh directly as root?
Not a thing, except I'd have to login and update that many systems before I'm able to get any real work done. Maybe I'll use the presented expect scripting (very similar to my test run) to get the appropriate keys installed, then proceed using puppet et all for the rest...
--Tim
On 3/4/2010 10:58 AM, Tim Nelson wrote:
What's the problem with key-based ssh directly as root?
Not a thing, except I'd have to login and update that many systems before I'm able to get any real work done. Maybe I'll use the presented expect scripting (very similar to my test run) to get the appropriate keys installed, then proceed using puppet et all for the rest...
If you have the ssh-copy-id program that uses a one-time password based command execution to install the remote key, you could probably run it with expect. Personally I think it is better to include the key in all new installs that need central control instead of having the passwords all the same.
On Mar 4, 2010, at 10:58 AM, Tim Nelson wrote:
----- "Les Mikesell" lesmikesell@gmail.com wrote:
What's the problem with key-based ssh directly as root?
Not a thing, except I'd have to login and update that many systems before I'm able to get any real work done. Maybe I'll use the presented expect scripting (very similar to my test run) to get the appropriate keys installed, then proceed using puppet et all for the rest...
--Tim
perl Net::OpenSSH also would solve this problem. We successfully got it working for our needs.
my ($in, $out, $err, $pid) = $ssh->open3({tty => 1}, $cmd, @args) or die ...
You may get a weird warning message from SSH when using sudo. CPAN RT #52687 documents the reason and how to fix it. If you are interested, let me know and I can give you more details.
-
Chris Geldenhuis -
Chris Murphy -
Les Mikesell -
nate -
Tim Nelson -
Todd Rinaldo