On Thursday, 14 July 2022 17:30:28 CEST Grant Taylor wrote: > On 7/14/22 12:35 AM, J. Roeleveld wrote: > > Hi All, > > Hi, > > > I am looking for a way to login to a host and automatically change > > to root using a password provided by an external program. > > Please clarify if you want to /require/ a password?
Yes. > I can think of some options that would authenticate, thus avoiding > sudo's NOPASSWD:, but not prompt for a password. I want to know if > those types of options are on the table or if they should be discarded. How would it not prompt for a password. I need something that will take the password from the vault (I can do this in Python and shell-scripting. Probably also in other scripts). Authenticating to the vault can be done on a session basis and shared. So locally, I'd only login once. > > The root passwords are stored in a vault and I can get passwords out > > using a script after authenticating. > > Okay. > > > Currently, I need to do a lot of the steps manually: > > ssh <user>@<host> > > su - > > You could alter that slightly to be: > > ssh <user>@<host> su - > > That would combine the steps into one. > > > (copy/paste password from vault) > > Are you actually copying & pasting the password? Or will you be using > something to retrieve the password from the vault and automatically > provide it to su? Currently, yes. I never physically see the password as it currently goes into the clipboard and gets wiped from there after a short time period. Enough time to paste it into the password-prompt. It's the copy/pasting that I am looking to automate into a single "login-to-remote-host" script. > I think that removing the human's need ~> ability to copy & paste would > close some security exposures. > > Aside: This remove the human's ability to copy ~> know the password > from the mix as a security measure can be a slippery slope and I > consider it to be questionable at best. -- Conversely, doing it on > behalf of the human with a password that they know simply as automation > is fine. > > > I would like to change this to: > > <some-script> <host> > > I think that's doable. I've done a lot of that. I'll take it one step > further and put "<some-script> <host>" in a for loop to do my bidding on > a number of systems. > > I think the "ssh <user>@<host> su -" method might be a bit cleaner from > a STDIN / TTY / FD perspective. > > > Does anyone have any hints on how to achieve this without adding a > > "NOPASSWD" entry into /etc/sudoers ? > > Flag on the play: You've now mixed privilege elevation mechanism. You > originally talked about "su" and now you're talking about "sudo". They > are distinctly different things. Though admittedly they can be used in > concert with each other. > > If you are using SSH keys /and/ sudo, then I'd recommend that you > investigate authenticating to sudo via (forwarded) SSH keys. This means > that your interactions with sudo are /always/ authenticated *and* done > so without requiring an interactive prompt. I prefer not to use SSH keys for this as they tend to exist for years in my experience. And one unnoticed leak can open up a lot of systems. This is why I use passwords. (passwords are long random strings that are changed regularly) > > Thanks in advance, > > There's more than a little bit here. There are a number of ways that > this could go.
