Re: [gentoo-user] Any way to automate login to host and su to root?

Thu, 14 Jul 2022 08:30:21 -0700 

On 7/14/22 12:35 AM, J. Roeleveld wrote:

Hi All,


Hi,


I am looking for a way to login to a host and automatically change 
to root using a password provided by an external program.


Please clarify if you want to /require/ a password?


I can think of some options that would authenticate, thus avoiding 
sudo's NOPASSWD:, but not prompt for a password.  I want to know if 
those types of options are on the table or if they should be discarded.



The root passwords are stored in a vault and I can get passwords out 
using a script after authenticating.


Okay.


Currently, I need to do a lot of the steps manually:
ssh <user>@<host>
su -


You could alter that slightly to be:

   ssh <user>@<host> su -

That would combine the steps into one.


(copy/paste password from vault)



Are you actually copying & pasting the password?  Or will you be using 
something to retrieve the password from the vault and automatically 
provide it to su?



I think that removing the human's need ~> ability to copy & paste would 
close some security exposures.



Aside:  This remove the human's ability to copy ~> know the password 
from the mix as a security measure can be a slippery slope and I 
consider it to be questionable at best.  --  Conversely, doing it on 
behalf of the human with a password that they know simply as automation 
is fine.



I would like to change this to:
<some-script> <host>



I think that's doable.  I've done a lot of that.  I'll take it one step 
further and put "<some-script> <host>" in a for loop to do my bidding on 
a number of systems.



I think the "ssh <user>@<host> su -" method might be a bit cleaner from 
a STDIN / TTY / FD perspective.



Does anyone have any hints on how to achieve this without adding a 
"NOPASSWD" entry into /etc/sudoers ?



Flag on the play:  You've now mixed privilege elevation mechanism.  You 
originally talked about "su" and now you're talking about "sudo".  They 
are distinctly different things.  Though admittedly they can be used in 
concert with each other.



If you are using SSH keys /and/ sudo, then I'd recommend that you 
investigate authenticating to sudo via (forwarded) SSH keys.  This means 
that your interactions with sudo are /always/ authenticated *and* done 
so without requiring an interactive prompt.



Thanks in advance,



There's more than a little bit here.  There are a number of ways that 
this could go.




--
Grant. . . .
unix || die
























					Reply via email to