Hi Diggy, I don't know of a way of achieving what you are after, however, I question the "more secure" sentiment that is driving this. Sudo is specifically designed to try and prevent what you are trying to do because it opens up doors for people to gleam passwords and leads to other bad habits. In fact, you cannot just "pipe" a password to sudo normally (you have to pass the -S flag).
So I disagree that using NOPASSWD "clearly ... flies in the face of best practices". I also disagree that setting PermitRootLogin to no is "as it should be". The "without-password" option is perfectly acceptable in many situations when using SSH keys - especially when you include "from=" options in your authorized_keys file and such. If you have company policies which require a specific design that is one thing, but in general keep in mind that there are many different levels of "secure" and different people/organizations have different needs/tolerances. For example, allowing Foreman to ssh directly as root is fine in my case because the logging/auditing in Foreman itself is sufficient to meet our compliance requirements. Regards, j From: "Diggy" <[email protected]> To: "Foreman Users" <[email protected]> Sent: Monday, March 27, 2017 9:54:37 AM Subject: [foreman-users] Run job - send sudo password from Foreman Hello, all. In my Foreman instance, I've set up job execution (Run job) to work. On my hosts, I have ssh PermitRootLogin set to no, as it should be. We log into hosts with our own usernames, then run commands via sudo. Thus, in order to get Run job to work properly, in Foreman I set Administer > Settings > RemoteExecution > r emote_execution_effective_user=root, remote_execution_effective_user_method=sudo, and remote_execution_ssh_user=asudouser. The only way I could see to make this work was to set NOPASSWD in asudouser's sudoer file directive. Clearly, this flies in the face of best practices. Is there a way for me to pass asudouser's sudo password via Foreman, or is there some more secure way to make Run job work? Many thanks. -- You received this message because you are subscribed to the Google Groups "Foreman users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [ mailto:[email protected] | [email protected] ] . To post to this group, send email to [ mailto:[email protected] | [email protected] ] . Visit this group at [ https://groups.google.com/group/foreman-users | https://groups.google.com/group/foreman-users ] . For more options, visit [ https://groups.google.com/d/optout | https://groups.google.com/d/optout ] . -- You received this message because you are subscribed to the Google Groups "Foreman users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/foreman-users. For more options, visit https://groups.google.com/d/optout.
