[CentOS] OT: Scripting with sudo password

Thu Nov 15 01:08:20 UTC 2007
gjgowey at tmo.blackberry.net <gjgowey at tmo.blackberry.net>

How about using ssh with certificate authenitication instead of sudo?

Sent from my BlackBerry wireless handheld.

-----Original Message-----
From: "James A. Peltier" <jpeltier at cs.sfu.ca>

Date: Wed, 14 Nov 2007 17:04:46 
To:CentOS mailing list <centos at centos.org>
Subject: Re: [CentOS] OT: Scripting with sudo password

Robert Spangler wrote:
> On Wed November 14 2007 14:41, James A. Peltier wrote:
>>  Completely off topic, but I'm sure someone out there is using scripts
>>  that require a sudo password of some sort, so I'll ask.
>>  What are people doing to automate tasks that required sudo passwords in
>>  order to run?  sudo without a password is not an option for me, but I
>>  would like to be able to enter the password once have it saved and then
>>  read back when sudo is required.
> Question for you then, why is sudo without a password not an option?

Because it makes the maintanance of our already very large sudoers file
that much more complex.  Many of my users want to be able to do this not
just one or two.  They want to do it for various tasks not just some
subset of tasks (ie sudo which is outlined here).  I probably should
have been more precise

> Check the man pages of sudoers.  It is possible to setup a sudo user that is
> only allowed to run a set of command.  This in effect only allows the user to
> run that one program (or as many as you setup) as sudo and no other.

I was already well aware of that option but it doesn't work here.

> This has to be better then reading a password file that is lying around on a
> disk somewhere.

The password would not be kept on disk as was pointed out in my first
e-mail.  The user would be prompted *once* for the password which would
then be passed to any number of tasks.  A good example would be a
clusterssh session that requires a password to authenticate against some
software such as sudo.

I think I'm going to have to look into expect or python-pexpect to
accomplish what I want, but thought I would just put it out there to see
what others are doing or have done.

James A. Peltier
Technical Director, RHCE
SCIRF | GrUVi @ Simon Fraser University - Burnaby Campus
Phone   : 778-782-3610
Fax     : 778-782-3045
Mobile  : 778-840-6434
E-Mail  : jpeltier at cs.sfu.ca
Website : http://gruvi.cs.sfu.ca | http://scirf.cs.sfu.ca
MSN     : subatomic_spam at hotmail.com
CentOS mailing list
CentOS at centos.org