On 7/14/22 12:35 AM, J. Roeleveld wrote:
Hi All,
Hi,
I am looking for a way to login to a host and automatically change
to root using a password provided by an external program.
Please clarify if you want to /require/ a password?
I can think of some options that would authenticate, thus avoiding
sudo's NOPASSWD:, but not prompt for a password. I want to know if
those types of options are on the table or if they should be discarded.
The root passwords are stored in a vault and I can get passwords out
using a script after authenticating.
Okay.
Currently, I need to do a lot of the steps manually:
ssh <user>@<host>
su -
You could alter that slightly to be:
ssh <user>@<host> su -
That would combine the steps into one.
(copy/paste password from vault)
Are you actually copying & pasting the password? Or will you be using
something to retrieve the password from the vault and automatically
provide it to su?
I think that removing the human's need ~> ability to copy & paste would
close some security exposures.
Aside: This remove the human's ability to copy ~> know the password
from the mix as a security measure can be a slippery slope and I
consider it to be questionable at best. -- Conversely, doing it on
behalf of the human with a password that they know simply as automation
is fine.
I would like to change this to:
<some-script> <host>
I think that's doable. I've done a lot of that. I'll take it one step
further and put "<some-script> <host>" in a for loop to do my bidding on
a number of systems.
I think the "ssh <user>@<host> su -" method might be a bit cleaner from
a STDIN / TTY / FD perspective.
Does anyone have any hints on how to achieve this without adding a
"NOPASSWD" entry into /etc/sudoers ?
Flag on the play: You've now mixed privilege elevation mechanism. You
originally talked about "su" and now you're talking about "sudo". They
are distinctly different things. Though admittedly they can be used in
concert with each other.
If you are using SSH keys /and/ sudo, then I'd recommend that you
investigate authenticating to sudo via (forwarded) SSH keys. This means
that your interactions with sudo are /always/ authenticated *and* done
so without requiring an interactive prompt.
Thanks in advance,
There's more than a little bit here. There are a number of ways that
this could go.
--
Grant. . . .
unix || die