LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 04-16-2015, 01:50 PM   #1
efetzer
LQ Newbie
 
Registered: Apr 2015
Posts: 24

Rep: Reputation: Disabled
Using ssh and sudo together


Hi all! Having an issue that is causing us much grief and I'm betting we're just missing something easy. We have a script that runs from a jump server that ssh's to a RHEL 6.6. Here is an example of what we need it to be able to do:

Code:
ssh -tt -q redhatHost 'sudo su - otherUser -c "cd /tmp;ls -l"'
If the sudoers file has the following in it, this works:

Code:
myUser        ALL = (ALL) NOPASSWD:ALL
If the sudoers file is more restrictive (as it needs to be) like:

Code:
myUser        ALL = NOPASSWD: /usr/bin/su - otherUser
Then I can ssh, then sudo, then perform the command, but not all together like I need to do from this script. It prompts for password if performed together in the one command above. Does someone have a proper solution without changing all of my scripts that currently do this sort of thing?

Thanks much!
Eric
 
Old 04-16-2015, 03:45 PM   #2
Lnthink
Member
 
Registered: May 2010
Location: Lafayette, LA
Distribution: Ubuntu, RH, Fedora
Posts: 39

Rep: Reputation: 8
I would consider making an ssh key that runs the specific command that you're wanting.
Ssh itself can do both things you're wanting a) run a command on another machine, and b) run an exact command as that person - all of what you're trying to do.

Search google or here for "ssh command keys" and you'll probably find your solution shortly.
This is how you can safely allow a person run a single command from another machine with elevated privileges easily and safely.
 
1 members found this post helpful.
Old 04-16-2015, 03:59 PM   #3
MensaWater
LQ Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, CoreOS, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 7,497
Blog Entries: 15

Rep: Reputation: 1463Reputation: 1463Reputation: 1463Reputation: 1463Reputation: 1463Reputation: 1463Reputation: 1463Reputation: 1463Reputation: 1463Reputation: 1463
A couple of ways to address it:
1) Have ssh go directly to the other user rather than doing sudo to that user after the ssh. The ssh trust can be configured for each user - the destination user defaults to same as source user but you can specify the destination:
e.g. ssh otherUser@redhatHost 'cd /tmp;ls -l'

-OR-
2) Setup Runas_Alias(es)
These allow a command specification later to allow the user to run commands as any <user> in the user list that follow the Alias name using syntax:
sudo -u <user> <command>
NOTE: The commands that can be run are only those for which the <user> has permission. e.g. if "oracle" doesn't have permissions to run "rm /" then allowing "sudo -u oracle rm /" here isn't a problem because it won't work anyway. Accordingly allowing a Runas_Alias in later specification to run "ALL" is acceptable.
e.g.
Runas_Alias <OTHERUSERA> = <user(s) you ssh'd into>
Note that OTHERUSERA is the name of the alias NOT the name of the user. The name of the user(s) is(are) after the "="
The grant to user a Runas_Alias is done with parentheses.
myUser (OTHERUSERA) ALL
 
Old 04-16-2015, 06:09 PM   #4
Lnthink
Member
 
Registered: May 2010
Location: Lafayette, LA
Distribution: Ubuntu, RH, Fedora
Posts: 39

Rep: Reputation: 8
Quote:
Originally Posted by MensaWater View Post
A couple of ways to address it:
1) Have ssh go directly to the other user rather than doing sudo to that user after the ssh. The ssh trust can be configured for each user - the destination user defaults to same as source user but you can specify the destination:
e.g. ssh otherUser@redhatHost 'cd /tmp;ls -l'
ALL
This is what I'm getting at - but - ssh "trust" as you call it - can be configured well beyond a single user - ssh keys can be tied to individual commands (using the command= syntax configured in the private key file), per user. So, you can create a key, that runs and only does a *single* command, script, etc.
 
1 members found this post helpful.
Old 04-17-2015, 08:18 AM   #5
efetzer
LQ Newbie
 
Registered: Apr 2015
Posts: 24

Original Poster
Rep: Reputation: Disabled
Review...

I'll have to review these suggestions, but I'd rather not go to the extent of controlling commands. So here's the exact situation, we have an Active Directory group with several users in it. These users need to be able to run a script on a jump server that does the command specified as well as many others. These users just need to be able to do anything that this user can do on the server that gets ssh'd to. This isn't even slightly a privileged user, it's a local, passwordless service account that runs a middleware ESB. Where the security comes in is that we don't want to have to give the users in this group ALL NOPASSWD ALL type of access. It really doesn't make sense to me that ALL NOPASSWD ALL works, whereas this doesn't. When I do the commands separately, I don't get prompted for password in any of them. Why when they're done in conjunction are we being prompted? Sorry, I will look closer at the answers because likely the answer is in there, I'm just a middleware engineer rather than an SA so it takes me a bit longer...

Thanks!
Eric
 
Old 04-17-2015, 08:21 AM   #6
efetzer
LQ Newbie
 
Registered: Apr 2015
Posts: 24

Original Poster
Rep: Reputation: Disabled
Oh, duh!

I get what this one is saying:

Quote:
1) Have ssh go directly to the other user rather than doing sudo to that user after the ssh. The ssh trust can be configured for each user - the destination user defaults to same as source user but you can specify the destination:
e.g. ssh otherUser@redhatHost 'cd /tmp;ls -l'
So I would take the users public keys that need to ssh as that user and put them into the authorized_keys file for the user they need to ssh to. That makes sense, a bit of work, but it definitely makes sense. I'll discuss it with the SA that is as confused as me...
 
Old 04-17-2015, 08:43 AM   #7
efetzer
LQ Newbie
 
Registered: Apr 2015
Posts: 24

Original Poster
Rep: Reputation: Disabled
Still WAY cumbersome

I'd still rather not have to manage these users in the sudoers files in every single environment on every single server. For me, if I could just do one entry that says "the users from AD group groupOne can sudo to local user userOne passwordless and perform any command that userOne has access to would be ideal. It seems like it should be:

Quote:
%groupOne ALL=(userOne) NOPASSWD: ALL
But we tried that and it doesn't work. It doesn't allow for the sudo to the user userOne in the first place. I obviously don't understand this stuff very well!
 
Old 04-17-2015, 08:48 AM   #8
efetzer
LQ Newbie
 
Registered: Apr 2015
Posts: 24

Original Poster
Rep: Reputation: Disabled
Oh, was this answered?

Maybe this was answered with:

Quote:
myUser (OTHERUSERA) ALL
Is it this simple?

Code:
Runas_Alias GROUP_ONE = groupOne
userOne (GROUP_ONE) NOPASSWD: ALL

Last edited by efetzer; 04-17-2015 at 08:50 AM.
 
Old 04-17-2015, 11:33 AM   #9
efetzer
LQ Newbie
 
Registered: Apr 2015
Posts: 24

Original Poster
Rep: Reputation: Disabled
Nope...

Didn't work. The sudoers file wouldn't even compile with that entry in it. Something is wrong in it, likely with the NOPASSWD: ALL. Anyone have a correction?
 
Old 04-17-2015, 01:02 PM   #10
MensaWater
LQ Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, CoreOS, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 7,497
Blog Entries: 15

Rep: Reputation: 1463Reputation: 1463Reputation: 1463Reputation: 1463Reputation: 1463Reputation: 1463Reputation: 1463Reputation: 1463Reputation: 1463Reputation: 1463
User_Alias allows you to add multiple users by name or group to a single grant by User_Alias.

Haven't used it but your mention of AD made me check for ldap integration with sudo which led to this page:
http://www.sudo.ws/sudoers.ldap.man.html

You may want to peruse that.
 
Old 04-17-2015, 01:18 PM   #11
efetzer
LQ Newbie
 
Registered: Apr 2015
Posts: 24

Original Poster
Rep: Reputation: Disabled
I don't think that would work...

Not sure that would work. The group is in Active Directory, but the user that these AD users need to impersonate is a local user on the host.
 
Old 04-20-2015, 08:47 AM   #12
efetzer
LQ Newbie
 
Registered: Apr 2015
Posts: 24

Original Poster
Rep: Reputation: Disabled
Help?

Any help on fixing my following entry:

Code:
Runas_Alias GROUP_ONE = groupOne
userOne (GROUP_ONE) NOPASSWD: ALL
The response I get is:

Quote:
$ ssh -tt -q machineName 'sudo su - userOne -c "cd /tmp;ls -l"'
[sudo] password for efetzer:
Sorry, user efetzer is not allowed to execute '/bin/su - userOne -c cd /tmp;ls -l' as root on machineName.
So first it told me I needed password, and second, it said I didn't have sudo rights to that user. Note that efetzer is in groupOne.

Thanks,
Eric
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Using Commands over SSH using Sudo metallica1973 General 11 02-21-2012 12:05 PM
I can't sudo over SSH SuperDude123 Linux - Newbie 6 06-08-2009 10:34 PM
ssh and sudo kutty_prasad Linux - General 7 05-13-2008 03:46 AM
commande execution with sudo(on ssh) yousmg Linux - Security 4 06-14-2007 11:04 AM
sudo ethereal with ssh adamwenner Linux - Software 0 09-10-2004 02:21 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:43 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration