proper way to sudo over ssh

Question

I have a script which runs another script via SSH on a remote server using sudo   However  when I type the password  it shows up on the terminal   Otherwise it works fine   ssh user server  sudo script    What s the proper way to do this so I can type the password for sudo over SSH without the password appearing as I type

User · Answer

Assuming you want no password prompt   ssh  HOST  echo  PASSWORD   sudo -S  COMMMAND    Example  ssh me localhost  echo secret   sudo -S echo hi    outputs  hi

User · Answer

Sudo over SSH passing a password  no tty required   You can use sudo over ssh without forcing ssh to have a pseudo-tty  without the use of the ssh  -t  switch  by telling sudo not to require an interactive password and to just grab the password off stdin   You do this by using the  -S  switch on sudo   This makes sudo listen for the password on stdin  and stop listening when it sees a newline   Example 1 - Simple Remote Command  In this example  we send a simple whoami command     ssh user server cat    sudo --prompt    -S -- whoami  lt  lt  EOF  gt   lt remote sudo password gt  root   We re telling sudo not to issue a prompt  and to take its input from stdin   This makes the sudo password passing completely silent so the only response you get back is the output from whoami   This technique has the benefit of allowing you to run programs through sudo over ssh that themselves require stdin input   This is because sudo is consuming the password over the first line of stdin  then letting whatever program it runs continue to grab stdin   Example 2 - Remote Command That Requires Its Own stdin  In the following example  the remote command  cat  is executed through sudo  and we are providing some extra lines through stdin for the remote cat to display     ssh user server cat    sudo --prompt    -S --  cat   lt  lt  EOF  gt   lt remote sudo password gt   gt  Extra line1  gt  Extra line2  gt  EOF Extra line1 Extra line2   The output demonstrates that the  lt remote sudo password gt  line is being consumed by sudo  and that the remotely executed cat is then displaying the extra lines   An example of where this would be beneficial is if you want to use ssh to pass a password to a privileged command without using the command line   Say  if you want to mount a remote encrypted container over ssh   Example 3 - Mounting a Remote VeraCrypt Container  In this example script  we are remotely mounting a VeraCrypt container through sudo without any extra prompting text      bin sh ssh user server cat    sudo --prompt    -S --  veracrypt --non-interactive --stdin --keyfiles  path to test key  path to test img  mnt mountpoint   lt  lt  EOF SudoPassword VeraCryptContainerPassword EOF   It should be noted that in all the command-line examples above  everything except the script  the  lt  lt  EOF construct on the command line will cause the everything typed  including the password  to be recorded in the local machine s  bash history   It is therefore highly recommended that for real-world use you either use do it entirely through a script  like the veracrypt example above  or  if on the command line then put the password in a file and redirect that file through ssh   Example 1a - Example 1 Without Local Command-Line Password  The first example would thus become     cat text file with sudo password   ssh user server cat    sudo --prompt    -S -- whoami root   Example 2a - Example 2 Without Local Command-Line Password  and the second example would become     cat text file with sudo password -  lt  lt  EOF   ssh va1der net cat    sudo --prompt    -S -- cat  gt  Extra line1  gt  Extra line2  gt  EOF Extra line1 Extra line2   Putting the password in a separate file is unnecessary if you are putting the whole thing in a script  since the contents of scripts do not end up in your history   It still may be useful  though  in case you want to allow users who should not see the password to execute the script

User · Answer

I was able to fully automate it with the following command   echo pass   ssh -tt user server  sudo script    Advantages    no password prompt won t show password in remote machine bash history   Regarding security  as Kurt said  running this command will show your password on your local bash history  and it s better to save the password in a different file or save the all command in a  sh file and execute it  NOTE  The file need to have the correct permissions so that only the allowed users can access it

User · Answer

The best way is ssh -t user server  sudo  lt scriptname gt    for example ssh -t user server  sudo reboot   It will prompt for password for user first and then root since we are running the script or command with root privilege    I hope it helped and cleared your doubt

User · Answer

Another way is to use the -t switch to ssh   ssh -t user server  sudo script    See man ssh    -t      Force pseudo-tty allocation   This can be used to execute arbi-          trary screen-based programs on a remote machine  which can be          very useful  e g   when implementing menu services   Multiple -t          options force tty allocation  even if ssh has no local tty

User · Answer

echo  VAR REMOTEROOTPASS   ssh -tt -i  PATH TO KEY id mykey  VAR REMOTEUSER  varRemoteHost  echo    varCommand     sudo bash

User · Answer

I faced a problem   user1 server1  ssh -q user1 server2 sudo -u user2 rm -f  some file location txt  Output  sudo  no tty present and no askpass program specified   Then I tried with    1 vim  etc sudoers Defaults user1     requiretty   didn t work   2 user1   ALL  user2          NOPASSWD  ALL   that worked properly

User · Answer

Depending on your usage  I had success with the following   ssh root server  script    This will prompt for the root password and then execute the command correctly

User · Answer

NOPASS in the configuration on your target machine is the solution  Continue reading at http   maestric com doc unix ubuntu sudo without password

[ssh] proper way to sudo over ssh

Examples related to ssh

Examples related to sudo