[SOLVED] Disabling of ssh Prompting for Password

devUnix · 07-19-2011, 12:59 AM

Hi,

There are over a dozen of servers that I need to monitor for services running on them. Hence, I have created a separate VM on which I am hosting scripts for various purposes. I have written a script (bash) that checks the status of the services running on those servers.

Since my script has this line of command (for example):

Code:

/sbin/service vsftpd status

I have created a user (let's name it user_monitor) and added it to /etc/sudoers file by issuing "visudo" on all the servers.

Since I need to execute the command remotely from the VM so I have generated a Public RSA Key (ssh-heygen) and added it to "authorized_keys" file on all the servers.

But on some servers when issue a command such as the following:

Code:

ssh user_monitor@appServer1 '/sbin/service vsftpd status'

or

Code:

ssh user_monitor@appServer1 'ls -ltr /tmp'

I am still getting a prompt for password to continue the operation.

Whereas, on some other servers I get this error (an excerpt from the sample run of the script):

Code:

+ for SERVER in '`cat $INPUT_FILE`'
+ echo -e '\n----------------------------------\nChecking Services on Server: 10.196.5.49\n'
+ ssh user_monitor@10.196.5.49 /sbin/service apache2 status
Password:
service: only root can use service

What could be wrong? I have given sufficient permissions to user_monitor and have also shared its PK on the target server.

So, how to bypass the password prompt when I am issuing the command (ssh ...) as given above?

Here are the visudoers' contents:

Code:

Defaults always_set_home
Defaults env_reset

#Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE"
# Comment out the preceding line and uncomment the following one if you need
# to use special input methods. This may allow users to compromise  the root
# account if they are allowed to run commands without authentication.
Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER"

# In the default (unconfigured) configuration, sudo asks for the root password.
# This allows use of an ordinary user account for administration of a freshly
# installed system. When configuring sudo, delete the two
# following lines:
#Defaults targetpw   # ask for the password of the target user i.e. root
#ALL ALL=(ALL) ALL   # WARNING! Only use this together with 'Defaults targetpw'!

# Runas alias specification

# User privilege specification
root    ALL=(ALL) ALL
user_monitor       ALL=(ALL) NOPASSWD: ALL

Thanks,
Dev.

chrism01 · 07-19-2011, 01:11 AM

1. consider using a monitoring tool like Nagios instead of rolling your own if you've got that many systems

2. assuming you are ssh-ing as user_monitor and NOT root (I hope), you will need to use 'sudo' to tell the remote end to check/use the sudoers file for privileged access eg

Code:

ssh user_monitor@appServer1 'sudo /sbin/service vsftpd status'

devUnix · 07-19-2011, 02:02 AM

Quote:

Originally Posted by chrism01

1. consider using a monitoring tool like Nagios instead of rolling your own if you've got that many systems

2. assuming you are ssh-ing as user_monitor and NOT root (I hope), you will need to use 'sudo' to tell the remote end to check/use the sudoers file for privileged access eg

Code:

ssh user_monitor@appServer1 'sudo /sbin/service vsftpd status'

Thanks for the minor mistake of leaving out "sudo" prefix from the command. I knew it but just forgot to type it in there. Thanks a lot for observing it.

So, here is the sample run of the script again:

Code:

+ for SERVER in '`cat $INPUT_FILE`'
+ echo -e '\n----------------------------------\nChecking Services on Server: 10.196.5.20\n'
+ ssh user_monitor@10.196.5.20 sudo /sbin/service apache2 status
user_monitor@10.196.5.20's password:

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these two things:

        #1) Respect the privacy of others.
        #2) Think before you type.

Password:

apache2: unrecognized service
+ ssh user_monitor@10.196.5.20 sudo /sbin/service httpd status
user_monitor@10.196.5.20's password:

How to suppress the password prompt?

Your recommendation for the depoloyment of Nagios or any other such tools is okay but I am not supposed or authorised to do that on my own. It is my job to write scripts and I want to do these automations to prove my worth as well.

devUnix · 07-19-2011, 04:39 AM

Okay, sudo and ssh are working now. But on some servers I am still getting password prompt.

devUnix · 07-19-2011, 08:24 AM

I have found the solution. My senior colleague just figured it out that the permissons of the directory ".ssh" and of the file "authorized_keys" were not properly set. I set them to 700 and 600 respectively and things worked fine.