LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices

Reply
 
Search this Thread
Old 02-18-2008, 09:33 PM   #1
s2cuts
Member
 
Registered: Mar 2007
Posts: 61

Rep: Reputation: 18
passing a password to su??


There must be a way of passing the "su" command the password of the user who is specified (without being prompted, so that you can script it). I can't find it. Can anyone help?

Thanks.

Last edited by s2cuts; 02-18-2008 at 09:37 PM.
 
Old 02-18-2008, 09:46 PM   #2
BrianK
Senior Member
 
Registered: Mar 2002
Location: Los Angeles, CA
Distribution: Debian, Ubuntu
Posts: 1,334

Rep: Reputation: 51
Quote:
Originally Posted by s2cuts View Post
There must be a way of passing the "su" command the password of the user who is specified (without being prompted, so that you can script it). I can't find it. Can anyone help?

Thanks.
I don't believe you can do that with su, but you are allowed to ssh to the same computer, so you could use public key authentication on the local machine to do the same thing as su without a password.

The caveat is that this same behavior will happen outside of your script.

in summary,
1. setup public keys: http://www.linuxquestions.org/linux/...ation_with_ssh where the "server" you're connecting to is the local machine
2. ssh other_user@local_machine 'command to execute && other commadn to execute'

should do the trick.
 
Old 02-18-2008, 10:14 PM   #3
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, Lubuntu, FreeBSD
Posts: 3,930
Blog Entries: 5

Rep: Reputation: Disabled
Look at sudo and its NOPASSWD directive.
 
Old 02-19-2008, 03:15 PM   #4
s2cuts
Member
 
Registered: Mar 2007
Posts: 61

Original Poster
Rep: Reputation: 18
Quote:
Originally Posted by BrianK View Post
I don't believe you can do that with su, but you are allowed to ssh to the same computer, so you could use public key authentication on the local machine to do the same thing as su without a password.

The caveat is that this same behavior will happen outside of your script.

in summary,
1. setup public keys: http://www.linuxquestions.org/linux/...ation_with_ssh where the "server" you're connecting to is the local machine
2. ssh other_user@local_machine 'command to execute && other commadn to execute'

should do the trick.
Hey Brian, I've tried this, looked through the conf file, followed their recommendations for trouble shooting to no avail. From looking at the verbose output I can see that it attempts to authenticate with the pub key that I generated but fails. Looking the conf files, it doesn't seem to have any parameters that would disallow Pubkey authentication. Ultimately authentication defaults to regular password authentication. I'm stumped. Is there any other params in the ssh_conf files that might be stopping this from working? I've attached the output from a verbose connection attempt.

Code:
[master@localhost .ssh]$ ssh -vv p2p@localhost
OpenSSH_3.9p1, OpenSSL 0.9.7a Feb 19 2003
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to localhost [127.0.0.1] port 22.
debug1: Connection established.
debug1: identity file /mnt/main_data/nonsharedfiles/master/.ssh/identity type -1
debug1: identity file /mnt/main_data/nonsharedfiles/master/.ssh/id_rsa type -1
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug2: key_type_from_name: unknown key type 'Proc-Type:'
debug2: key_type_from_name: unknown key type 'DEK-Info:'
debug2: key_type_from_name: unknown key type '-----END'
debug1: identity file /mnt/main_data/nonsharedfiles/master/.ssh/id_dsa type 2
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.9p1
debug1: match: OpenSSH_3.9p1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.9p1
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 133/256
debug2: bits set: 551/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'localhost' is known and matches the RSA host key.
debug1: Found key in /mnt/main_data/nonsharedfiles/master/.ssh/known_hosts:1
debug2: bits set: 522/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /mnt/main_data/nonsharedfiles/master/.ssh/identity ((nil))
debug2: key: /mnt/main_data/nonsharedfiles/master/.ssh/id_rsa ((nil))
debug2: key: /mnt/main_data/nonsharedfiles/master/.ssh/id_dsa (0x8fc8680)
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug2: we did not send a packet, disable method
debug1: Next authentication method: publickey
debug1: Trying private key: /mnt/main_data/nonsharedfiles/master/.ssh/identity
debug1: Trying private key: /mnt/main_data/nonsharedfiles/master/.ssh/id_rsa
debug1: Offering public key: /mnt/main_data/nonsharedfiles/master/.ssh/id_dsa
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug2: we did not send a packet, disable method
debug1: Next authentication method: password
p2p@localhost's password:
 
Old 02-19-2008, 05:08 PM   #5
BrianK
Senior Member
 
Registered: Mar 2002
Location: Los Angeles, CA
Distribution: Debian, Ubuntu
Posts: 1,334

Rep: Reputation: 51
Quote:
Originally Posted by s2cuts View Post
Hey Brian, I've tried this, looked through the conf file, followed their recommendations for trouble shooting to no avail. From looking at the verbose output I can see that it attempts to authenticate with the pub key that I generated but fails. Looking the conf files, it doesn't seem to have any parameters that would disallow Pubkey authentication. Ultimately authentication defaults to regular password authentication. I'm stumped. Is there any other params in the ssh_conf files that might be stopping this from working? I've attached the output from a verbose connection attempt.
It's likely a permissions issue. the directory that holds the keys should not be readable/writable by anyone but the user. The same goes for the keys themselves. It may even be more restrictive than that. I've always kept keys on both sides in the user's $HOME/.ssh directory with very restrictive permissions.

It's hard to find this information from the debug output, but this has typically been my problem when it comes to failing public keys.

btw, I know this *does* work as I use it every day... it's just a matter of getting all your ducks perfectly in a row. Wrong permissions *will* prevent this from working - I know because I've pulled out many-a-hair on that very issue.
 
Old 02-20-2008, 12:29 AM   #6
s2cuts
Member
 
Registered: Mar 2007
Posts: 61

Original Poster
Rep: Reputation: 18
Alright, thanks Brian. I'll look over the permissions on both sides and post any revelations.

Edit: Restrict permissions and it works, how crazy is that. Does anyone know the reason?

Last edited by s2cuts; 02-20-2008 at 12:56 AM.
 
Old 02-20-2008, 02:30 PM   #7
BrianK
Senior Member
 
Registered: Mar 2002
Location: Los Angeles, CA
Distribution: Debian, Ubuntu
Posts: 1,334

Rep: Reputation: 51
Quote:
Originally Posted by s2cuts View Post
Edit: Restrict permissions and it works, how crazy is that. Does anyone know the reason?
Glad to hear it.

I believe it's for security. A key that is viewable by anyone other than the owner is not a valid key. It's like leaving the keys to your car in the door - wouldn't it be nice if they didn't work if you accidentally left them there? The same thing applies here. If you leave your keys viewable to others, they could copy them then reuse them at will.
 
  


Reply

Tags
password, ssh, workaround


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How to retrieve( or reset) root password in Mandrake Linux, as I forgot my password? Reghunath Linux - Software 4 05-08-2008 04:11 AM
Passing by steve007 Linux - Newbie 3 07-22-2005 05:06 AM
passing passing variable in Java as reference djgerbavore Programming 3 11-10-2004 02:18 PM
prompt for root password and passing to a program ludeKing Programming 4 08-23-2004 08:55 PM
How can I change e-mail password(or linux account password) with php in website?? yusuf Programming 1 05-28-2004 09:39 AM


All times are GMT -5. The time now is 02:50 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration