LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   Disabling of ssh Prompting for Password (https://www.linuxquestions.org/questions/linux-server-73/disabling-of-ssh-prompting-for-password-892425/)

devUnix 07-19-2011 12:59 AM
Disabling of ssh Prompting for Password
 
Hi,


There are over a dozen of servers that I need to monitor for services running on them. Hence, I have created a separate VM on which I am hosting scripts for various purposes. I have written a script (bash) that checks the status of the services running on those servers.

Since my script has this line of command (for example):

Code:
/sbin/service vsftpd status
I have created a user (let's name it user_monitor) and added it to /etc/sudoers file by issuing "visudo" on all the servers.

Since I need to execute the command remotely from the VM so I have generated a Public RSA Key (ssh-heygen) and added it to "authorized_keys" file on all the servers.

But on some servers when issue a command such as the following:

Code:
ssh user_monitor@appServer1 '/sbin/service vsftpd status'
or

Code:
ssh user_monitor@appServer1 'ls -ltr /tmp'
I am still getting a prompt for password to continue the operation.

Whereas, on some other servers I get this error (an excerpt from the sample run of the script):

Code:
+ for SERVER in '`cat $INPUT_FILE`'
+ echo -e '\n----------------------------------\nChecking Services on Server: 10.196.5.49\n'
+ ssh user_monitor@10.196.5.49 /sbin/service apache2 status
Password:
service: only root can use service
What could be wrong? I have given sufficient permissions to user_monitor and have also shared its PK on the target server.

So, how to bypass the password prompt when I am issuing the command (ssh ...) as given above?


Here are the visudoers' contents:

Code:
Defaults always_set_home
Defaults env_reset

#Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE"
# Comment out the preceding line and uncomment the following one if you need
# to use special input methods. This may allow users to compromise  the root
# account if they are allowed to run commands without authentication.
Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER"

# In the default (unconfigured) configuration, sudo asks for the root password.
# This allows use of an ordinary user account for administration of a freshly
# installed system. When configuring sudo, delete the two
# following lines:
#Defaults targetpw  # ask for the password of the target user i.e. root
#ALL ALL=(ALL) ALL  # WARNING! Only use this together with 'Defaults targetpw'!

# Runas alias specification

# User privilege specification
root    ALL=(ALL) ALL
user_monitor      ALL=(ALL) NOPASSWD: ALL
Thanks,
Dev.

chrism01 07-19-2011 01:11 AM
1. consider using a monitoring tool like Nagios instead of rolling your own if you've got that many systems

2. assuming you are ssh-ing as user_monitor and NOT root (I hope), you will need to use 'sudo' to tell the remote end to check/use the sudoers file for privileged access eg
Code:
ssh user_monitor@appServer1 'sudo /sbin/service vsftpd status'

devUnix 07-19-2011 02:02 AM
Quote:
Originally Posted by chrism01 (Post 4418718)
1. consider using a monitoring tool like Nagios instead of rolling your own if you've got that many systems

2. assuming you are ssh-ing as user_monitor and NOT root (I hope), you will need to use 'sudo' to tell the remote end to check/use the sudoers file for privileged access eg
Code:
ssh user_monitor@appServer1 'sudo /sbin/service vsftpd status'

Thanks for the minor mistake of leaving out "sudo" prefix from the command. I knew it but just forgot to type it in there. Thanks a lot for observing it.

So, here is the sample run of the script again:

Code:
+ for SERVER in '`cat $INPUT_FILE`'
+ echo -e '\n----------------------------------\nChecking Services on Server: 10.196.5.20\n'
+ ssh user_monitor@10.196.5.20 sudo /sbin/service apache2 status
user_monitor@10.196.5.20's password:

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these two things:

        #1) Respect the privacy of others.
        #2) Think before you type.

Password:

apache2: unrecognized service
+ ssh user_monitor@10.196.5.20 sudo /sbin/service httpd status
user_monitor@10.196.5.20's password:
How to suppress the password prompt?

Your recommendation for the depoloyment of Nagios or any other such tools is okay but I am not supposed or authorised to do that on my own. It is my job to write scripts and I want to do these automations to prove my worth as well. ;)

devUnix 07-19-2011 04:39 AM
Okay, sudo and ssh are working now. But on some servers I am still getting password prompt.

devUnix 07-19-2011 08:24 AM
I have found the solution. My senior colleague just figured it out that the permissons of the directory ".ssh" and of the file "authorized_keys" were not properly set. I set them to 700 and 600 respectively and things worked fine.


All times are GMT -5. The time now is 04:17 AM.