[SLUG] sudo command over ssh - pasword echo
I am wanting to do a command with sudo via ssh that requires a password but the problem is that when I enter the password it is echoed to the screen. ie ssh [EMAIL PROTECTED] sudo apt-get dist-upgrade password: PASSWORD-HERE Is there a way to stop this being echoed or a better way to do this? TIA -- Simon Wong [EMAIL PROTECTED] -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] sudo command over ssh - pasword echo
On Thu, 20 Apr 2006 10:02 am, Simon Wong wrote: I am wanting to do a command with sudo via ssh that requires a password but the problem is that when I enter the password it is echoed to the screen. ie ssh [EMAIL PROTECTED] sudo apt-get dist-upgrade password: PASSWORD-HERE Is there a way to stop this being echoed or a better way to do this? Add user to the sudo group on host and you wont be prompted for the user's password anymore (at least that's how it works on Ubuntu and RHEL). Alternatively, login and run the commands interactively (but given you're running commands directly from ssh, I'm assuming this is actually a script?). If you go with the sudo group idea, you may want to setup a special user (updater or something) that can only run specific commands like apt-get with sudo and even then, restrict the options that can be passed as well. HTH, James -- A fool and his money are soon popular. pgplLkJWMxnWt.pgp Description: PGP signature -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] sudo command over ssh - pasword echo
On Thu Apr 20, 2006 at 10:46:02 +1000, James Gray wrote: On Thu, 20 Apr 2006 10:02 am, Simon Wong wrote: I am wanting to do a command with sudo via ssh that requires a password but the problem is that when I enter the password it is echoed to the screen. ie ssh [EMAIL PROTECTED] sudo apt-get dist-upgrade password: PASSWORD-HERE Is there a way to stop this being echoed or a better way to do this? Add user to the sudo group on host and you wont be prompted for the user's password anymore (at least that's how it works on Ubuntu and RHEL). Alternatively, login and run the commands interactively (but given you're running commands directly from ssh, I'm assuming this is actually a script?). If you go with the sudo group idea, you may want to setup a special user (updater or something) that can only run specific commands like apt-get with sudo and even then, restrict the options that can be passed as well. Mmm, I missed the original, but what you want is: ssh [EMAIL PROTECTED] -t sudo .. The -t says allocate a TTY, which is what sudo needs to correctly read your password. (Of course if what you want is to not have to type a password at all, then James' suggestions are all good.) Cheers, Benno -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] sudo command over ssh - pasword echo
On Thu, 2006-04-20 at 10:46 +1000, James Gray wrote: Add user to the sudo group on host and you wont be prompted for the user's password anymore (at least that's how it works on Ubuntu and RHEL). yeah, I was scared of doing that for the reason of giving blanket root sudo powers. Alternatively, login and run the commands interactively (but given you're running commands directly from ssh, I'm assuming this is actually a script?). yep, trying to script it :-) If you go with the sudo group idea, you may want to setup a special user (updater or something) that can only run specific commands like apt-get with sudo and even then, restrict the options that can be passed as well. Good idea, that sounds like the way to go but I expect that means setting up an SSH key with the specific command so that the updater user can login via SSH and do only that one thing. I want SSH logins restricted to a specified list via AllowUsers after a recent experience. Thanks. -- Simon Wong [EMAIL PROTECTED] -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] sudo command over ssh - pasword echo
On Thu, 2006-04-20 at 10:52 +1000, Benno wrote: ssh [EMAIL PROTECTED] -t sudo .. The -t says allocate a TTY, which is what sudo needs to correctly read your password. Thanks, I should have tried it before replying before. I see that stops the echoing, tah. -- Simon Wong [EMAIL PROTECTED] -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] sudo command over ssh - pasword echo
On Thu, 20 Apr 2006 11:17 am, Simon Wong wrote: On Thu, 2006-04-20 at 10:46 +1000, James Gray wrote: Add user to the sudo group on host and you wont be prompted for the user's password anymore (at least that's how it works on Ubuntu and RHEL). yeah, I was scared of doing that for the reason of giving blanket root sudo powers. Just because a user can sudo doesn't mean they can sudo anything. You *can* restrict users to only being able to sudo a very specific set of commands and then even restrict further to options passed to those commands. The updater user should probably only be able to apt-get update and apt-get -y upgrade. If you want to do a full dist-upgrade or remove/purge packages, that's probably best done manually so don't allow updater to run apt-get with remove. man sudo and man 5 sudoers are your friends here. Alternatively, login and run the commands interactively (but given you're running commands directly from ssh, I'm assuming this is actually a script?). yep, trying to script it :-) Bummer - not really an option then. If you go with the sudo group idea, you may want to setup a special user (updater or something) that can only run specific commands like apt-get with sudo and even then, restrict the options that can be passed as well. Good idea, that sounds like the way to go but I expect that means setting up an SSH key with the specific command so that the updater user can login via SSH and do only that one thing. I want SSH logins restricted to a specified list via AllowUsers after a recent experience. So use key-based login for the updater user. That way, even if someone knows the existence of the updater user it wont be of any use to them without the private key from the machine(s) YOU are using. I don't allow any password-based login for my publicly accessible SSH machines. That way I can not only restrict what users can log in but also WHERE they login from (ie, the machine that has the private key) without resorting to high-maintenance IP address lists, iptables etc. Double up the security: restrict allowed users AND use key-based auth. :) HTH, James -- Age and treachery will always overcome youth and skill. pgpe9qDEgoBKM.pgp Description: PGP signature -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] sudo command over ssh - pasword echo
This one time, at band camp, James Gray wrote: So use key-based login for the updater user. That way, even if someone knows the existence of the updater user it wont be of any use to them without the private key from the machine(s) YOU are using. I don't allow any password-based login for my publicly accessible SSH machines. That way I can not only restrict what users can log in but also WHERE they login from (ie, the machine that has the private key) without resorting to high-maintenance IP address lists, iptables etc. Double up the security: restrict allowed users AND use key-based auth. :) Further to that, you can do some pretty neat (or unmaintainable :-) things with the authorized_keys file, e.g: from=*.example.org,environment=SNUH=bar,no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,command=/usr/sbin/sudo apt-get update ssh-dss = some comment about this key and then you can load a different key using ssh -i (IIRC) to change the behaviour of the machine at the other end when you log in :-) -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] sudo command over ssh - pasword echo
On Thu, 2006-04-20 at 11:36 +1000, James Gray wrote: Just because a user can sudo doesn't mean they can sudo anything. You *can* restrict users to only being able to sudo a very specific set of commands and then even restrict further to options passed to those commands. Yeah I know, it's one of those mornings where a growing list of problems was making me avoid having to do more :-( yep, trying to script it :-) Bummer - not really an option then. well, I don't have a big problem doing some of this manually as long as I can streamline it a bit. I'd like to keep good control over what's happening with package updates especially. Double up the security: restrict allowed users AND use key-based auth. :) Agreed, I've learnt a bit about that the hard way recently :-( -- Simon Wong [EMAIL PROTECTED] -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] sudo command over ssh - pasword echo
On Thu, 2006-04-20 at 11:48 +1000, Jamie Wilkinson wrote: Further to that, you can do some pretty neat (or unmaintainable :-) things with the authorized_keys file, e.g: from=*.example.org,environment=SNUH=bar,no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,command=/usr/sbin/sudo apt-get update ssh-dss = some comment about this key and then you can load a different key using ssh -i (IIRC) to change the behaviour of the machine at the other end when you log in :-) I like the idea of different keys for different commands, that could be very useful...thanks! -- Simon Wong [EMAIL PROTECTED] -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html