LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices

Reply
 
Search this Thread
Old 11-20-2011, 10:42 AM   #1
johndir
LQ Newbie
 
Registered: Nov 2011
Posts: 5

Rep: Reputation: Disabled
Shell command output redirection - sudo doesn't block, can't supply passwords


This works:

Code:
$ echo hello | ssh user@remotehost -tt "cat"
hello
hello
But here I don't get the chance to write the passwords.

Code:
$ sudo echo hello | ssh user@remotehost -tt "sudo cat"
Password: Password:
How can I fix this (i.e. make the first sudo block properly until the password is supplied)?
 
Old 11-20-2011, 11:48 AM   #2
Juako
Member
 
Registered: Mar 2010
Posts: 202

Rep: Reputation: 84
Using sudo in the local machine will give you ZERO privileges in another machine, per se. The only situation when something like that would happen is if root itself has a ssh login enabled in the remote machine (and this is an extremely dangerous thing, unless it's somewhat mitigated by using keys and PermitRootLogin=without-password in /etc/ssh/sshd_config).

Furthermore, assuming you stopped using sudo in the local machine and wanted to pipe the password thru ssh to a remote sudo, it will also fail because sudo only read its password from a tty, which in the case of a normal ssh connection isn't allocated:

me@localhost:$ echo hello | ssh user@remotehost -t sudo cat
user@remotehost's password: ******
sudo: no tty present and no askpass program specified


You *could* force a tty allocation by ssh using the -t switch, and then type the password when the remote sudo asks:
me@localhost:$ ssh user@remotehost -t sudo echo hello
user@remotehost's password: ******
[sudo] password for user: ******
hello

But this won't work when you want to pipe things to ssh:
me@localhost:$ echo hello | ssh user@remotehost -t sudo cat
Pseudo-terminal will not be allocated because stdin is not a terminal.
user@remotehost's password: ******
sudo: no tty present and no askpass program specified
 
Old 11-20-2011, 01:57 PM   #3
johndir
LQ Newbie
 
Registered: Nov 2011
Posts: 5

Original Poster
Rep: Reputation: Disabled
Redirect local command output to a remote sudo command

I'm aware that that sudo in the local machine will give me nothing on the remote machine.
The example I gave serves its purpose, but it's not exactly what I'm trying to do. The "symptoms", however, are identical.
For the record let's say that I would like to redirect the output of a local command that needs to be run as root (sudo) to a remote command that needs to be ran as root (sudo). And looking at your last example I see that output redirection per se isn't working with a remote sudo. So this is the issue that I would like to attack. Is there a way to "fix" this?

Is there a way to redirect local command output to a remote sudo command?
 
Old 11-20-2011, 02:52 PM   #4
jthill
Member
 
Registered: Mar 2010
Distribution: Arch
Posts: 209

Rep: Reputation: 65
Authorize the user to execute that command with no password, and don't require a tty.

In /etc/sudoers on remote.host:
Code:
Defaults:user !requiretty
user (ALL) = (root) NOPASSWD: /bin/cat
gets:
Code:
$ echo hello | ssh user@remote.host sudo cat
hello
$

(edit: note I'm using keys not passwords, yours will still prompt for the remote-host password)

Last edited by jthill; 11-20-2011 at 02:55 PM. Reason: explain ssh password prompting difference
 
Old 11-20-2011, 02:58 PM   #5
johndir
LQ Newbie
 
Registered: Nov 2011
Posts: 5

Original Poster
Rep: Reputation: Disabled
Thank you for your reply.
No password for root is not an acceptable solution. Is there no other way to do this?
 
Old 11-20-2011, 04:21 PM   #6
jthill
Member
 
Registered: Mar 2010
Distribution: Arch
Posts: 209

Rep: Reputation: 65
Only way I can think of to get it done is to add !tty_tickets,ticket_timeout=0.5 or something short like that to the remote user's sudo options, and do a separate sudo -v beforehand, so for the above substitute

in /etc/sudoers on the remote host:
Code:
Defaults:user !requiretty,!tty_tickets,ticket_timeout=0.5
and the sequence becomes
Code:
$ sudo -v
[sudo] password for jthill:
$ ssh user@remote.host sudo -v
[sudo] password for user:
$ sudo echo hello | ssh user@remote.host sudo cat
hello
$ sleep 31
$ sudo echo hello | ssh user@remote.host sudo cat
sudo: no tty present and no askpass program specified
$
 
Old 11-22-2011, 09:45 AM   #7
jthill
Member
 
Registered: Mar 2010
Distribution: Arch
Posts: 209

Rep: Reputation: 65
Got it. Make a named pipe on the remote host and ssh-pipe your data through that, no need for any sudoers tweaking.

Code:
$ ssh user@remote mkfifo data
$ ssh user@remote -tt '(cat data | sudo cat)'
[sudo] password for user:
That will hang waiting for data, so separately you do
Code:
$ sudo echo hello | ssh user@remote cat \>data
[sudo] password for jthill:
$
and you'll see on the first one:
Code:
hello
Connection to remote closed.
$
The '(cat data | sudo cat)' avoids an annoying delay before sudo prompts for the password (because the redirect tells the shell to open the pipe before running sudo).
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Sudo doesn't care for passwords :S (13.1, xfce) 0men Slackware 2 09-15-2011 08:36 PM
[SOLVED] Output redirection doesn't work with iptables (Fedora Core 11) andrei.wap Linux - Newbie 8 03-17-2011 05:30 PM
command output redirection radiodee1 Linux - Newbie 1 01-02-2008 11:24 AM
Output and Error redirection in Shell script (MinGW) montylee Programming 6 09-08-2006 05:06 AM
shell script output redirection goral.j Programming 3 01-27-2005 05:34 AM


All times are GMT -5. The time now is 04:28 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration