From server A, i want to ssh multiple server using a non root user as direct root login is disabled to all server.
then i need to su - to switch to root
perform some normal operations, like changing directory, listing file etc.
and at the end change the root password using passwd command
I have expect installed on all servers and i am able to ssh from server A to any of the other servers but stuck in switching to root user and performing other operations as listed above.
#!/bin/bash
ssh user#ip<<'ENDSSH'
./su2root
#random operations
pwd
whoami
#random operations
./changepass
ENDSSH
su2root
#!/usr/bin/expect -f
spawn su -
set password "rootpass"
expect "assword:"
send "$password\r"
changepass
#!/usr/bin/expect -f
set newpassword "newrootpass"
spawn passwd
expect "*assword*"
send "$newpassword\r"
expect "*assword*"
send "$newpassword\r"
expect eof
exit 0
expecting to accomplish it using shell scripting only. Thanks in advance.
My initial comment on your question noted that you should be looking into running expect locally and spawning ssh sessions to the remote servers.
While not exactly answering your question, here is a simple expect script that logs into a remote system (one of my systems at home named valhalla), uses sudo -i to become root and executes the id command to show the user UID/GIDs. Note that I use ssh keys for logins which is why there is no expect for the initial login password.
The remote systems do not need expect in this example.
#!/usr/bin/expect
# vi: set ts=2 sw=2 noai ic showmode showmatch:
spawn ssh valhalla
expect "valhalla:"
send "sudo -i\r"
expect "assword for *"
send "XXXXXX\r"
expect "# "
send "id\r"
expect "(root)"
exit 0
Related
I have to create a file functon.txt under a particular directory with hello world in it in lots of machine. This is what I was doing so far manually one by one logging into each box and creating the file. That directory is own by root so I have to make sure that new file is also owned by root user.
david#machineA:~$ sudo su
[sudo] password for david:
root#machineA:/home/david# cd /opt/Potle/ouyt/wert/1
root#machineA:/opt/Potle/ouyt/wert/1# vi functon.txt
root#machineA:/opt/Potle/ouyt/wert/1# ssh david#machineB
david#machineB:~$ sudo su
[sudo] password for david:
root#machineB:/home/david# cd /opt/Potle/ouyt/wert/1
root#machineB:/opt/Potle/ouyt/wert/1# vi functon.txt
root#machineB:/opt/Potle/ouyt/wert/1# ssh david#machineC
.....
Now I have to do this in around 200 machines. Is there any way I can do these things through some script? I am ok typing passwords multiple times if I have to but I don't want to manually login into those box and do all the other steps by hand.
I have a file hosts.txt which contains each machine line by line. I can read this file line by line and do above things but I am not sure how?
This is just one time exercise for me so any easy or simple way should be fine. I can even hardcode my password in the script to do this job. What is the best way to accomplish this task?
After installing Ansible:
ansible -i /path/to/hosts.txt -m ping -u david --ask-pass all
See if you can ping the machines successfully. If it is successful, then try the following with 2 machines (create another txt file with just 2 machines and pass it to -i option). Then you can run this for all machines. If the directory does not exist, the command will fail and you will see the failed machines in summary.
ansible -i /path/to/hosts.txt -m copy -a "src=/path/to/functon.txt dest=/opt/Potle/ouyt/wert/1/functon.txt" -u david --ask-pass --become --become-user root --ask-become-pass all
I didn't test this. So use caution.
-i: input host(s)
-m: module
-a: module arguments
-u: user
--ask-pass: Ask for user password
--become: become another user
--become-user: new user
--ask-become-pass: Ask for become user password
You can use expect to automate SSH copy / SSH login :
#!/usr/bin/expect
set password [lindex $argv 1]
spawn scp -P 22 [lindex $argv 2] [lindex $argv 0]
expect "*password:*"
send -- "$password\r"
send -- "\r"
expect eof
The expect command will wait for the string you give in arguments to be received.
You can iterate over your hosts from hosts.txt and run this script like this for each one :
./create_config.sh david#machineA:/opt/Potle/ouyt/wert/1/ somePassword functon.txt
If you dont have possibility to do SSH copy but only SSH, you can still send command with expect :
#!/usr/bin/expect
set password [lindex $argv 1]
spawn ssh -p 22 [lindex $argv 0]
expect "*password:*"
send -- "$password\r"
send -- "\r"
# expect the command prompt : change this if needed
expect "*$*"
# execute some commands
send -- "echo 'some text to write to some file' > ~/some_file.txt\r"
# exit vm
send -- "exit\r"
expect eof
You can run this with :
./create_config.sh david#machineA somePassword
You could use sshfs: mount a machine, do what you want, unmount and pass to the next.
I am making a script to securely transfer data between my two machines through scp.
But in the script, it shows an error due to no password. So how can I make my shell script to ask me for password after executing scp command?
Here is my csh script.
# ssh shahk#sj-shahk
# ls -al
echo "Source Location of Remote Server - $1"
echo "Destination Location of Local Server - $2"
echo "File/Folder to be Transferred from Remote Server - $3"
echo "File Transfer Starts"
scp -rv $1/$3 <username>#<hostname>:$2
echo "File Transfer Completed"
# exit
Now I am using the above script with ssh in following way.
ssh <username>#<hostname> "<script name> <args>"
When I use in the above manner, it does not prompt for password while executing scp command.
You can use sshpass
https://www.cyberciti.biz/faq/noninteractive-shell-script-ssh-password-provider/
I have used it once to directly scp or ssh without prompting password.
For example :
sshpass -p 'password' scp file.tar.gz root#xxx.xxx.xxx.194:/backup
As mentioned by the other answer, sshpass will do the job perfectly. In the case where you can not install new packages on your local computer, you can also use expect (installed by default on most distros) to automate your interactive session.
The basic syntax of expect is to wait for the program to display a specific string (expect mystring), which triggers a specific behaviour (send command)
The following script shows the basic structure to implement what you need :
#!/usr/bin/expect -f
# syntax to specify which command to monitor
spawn scp myfile user#remote.host:/dest_folder
# this syntax means we expect the spawned program to display "password: "
# expect can understand regex and glob as well. read the man page for more details
expect "password: "
# the \r is needed to submit the command
send "PASSWORD\r"
# expect "$ " means we wait for anything to be written.
# change if you want to handle incorrect passwords
expect "$ "
send "other_command_to_execute_on_remote\r"
expect "$ "
send "exit\r"
As a side note, you can also set up passwordless authorizations through ssh keys.
#1) create a new ssh key on your local computer
> ssh-keygen -t rsa
#2) copy your public key to your remote server
# you will need to login, but only once. Once the key is on the remote server, you'll be able to connect without password.
> ssh-copy-id -i ~/.ssh/id_rsa.pub user#ip_machine
# OR
> cat ~/.ssh/id_rsa.pub | ssh user#ip_machine "cat - >> ~/.ssh/authorized_keys"
This tutorial explains how to use the keychain tool to manage several ssh keys and users.
ssh <username>#<hostname> "<script name> <args>"
scp will only read a password from a TTY, and it doesn't have a TTY in this case. When you run ssh and specify a command to be executed on the remote system (as you're doing here), ssh by default doesn't allocate a PTY (pseudo-tty) on the remote system. Your script and all of the commands launched from it--including scp--end up running without a TTY.
You can use the ssh -t option to make it allocate a tty on the remote system:
ssh -t <username>#<hostname> "<script name> <args>"
If you get a message like "Pseudo-terminal will not be allocated because stdin is not a terminal", then add another -t:
ssh -tt <username>#<hostname> "<script name> <args>"
I need to create a bash script that will remotely run another script on a batch of machines. To do so I am passing a script through SSH.
ssh -p$port root#$ip 'bash -s' < /path/to/script/test.sh
I thought it would use my RSA keys but I am getting error:
"Enter password: ERROR 1045 (28000): Access denied for user 'root'#'localhost' (using password: YES)"
I tried using sshpass to no avail. So my next solution was using expect. I have never used expect before and I'm positive my syntax is way off.
ssh -p$port root#$ip 'bash -s' < /path/to/script/test.sh
/usr/bin/expect <<EOD
expect "password"
send "$spass\n"
send "\n"
EOD
I have root access to all machines and ANY solution will do as long as the code remains within bash. Just keep in mind that this will be done in a loop with global variables ($spass, $ip, $port, etc) passed from a parent script.
You are doing it wrong in two means:
If you want expect to interact with ssh, you need to start ssh from expect script and not before.
If you put the script (/path/to/script/test.sh) to stdin of ssh, you can't communicate with the ssh process any more.
You should rather copy the script to remote host using scp and then run it.
Expect script might look like this:
/usr/bin/expect <<EOF
spawn ssh -p$port root#$ip
expect "password"
send "$Spass\r"
expect "$ "
send "/path/to/script/on/remote/server/test.sh\r"
expect "$ "
interact
EOF
#!/usr/bin/expect
#Replace with remote username and remote ipaddress
spawn /usr/bin/ssh -o StrictHostKeyChecking=no username#IPAddress
#Replace with remote username and remote ipaddress
expect "username#IPAddress's password: "
#Provide remote system password
send "urpassword\n"
#add commands to be executed. Also possible to execute bash scripts
expect "$ " {send "pwd\n"} # bash command
expect "$ " {send "cd mytest\n"}
expect "$ " {send "./first.sh\n"} # bash scripts
expect "$ " {send "exit\n"}
interact
In my bash script file, I try to use expect to provide password for ssh command but it doesn't work. Here is my script:
#!/bin/bash
/usr/bin/expect << EOD
spawn ssh root#192.168.1.201
expect "root#192.168.1.201's password:"
send "mypassword\r"
interact
expect eof
EOD
And the output after I execute the script:
[oracle#BTMVNSRV191 Desktop]$ ./login.sh
spawn ssh root#192.168.1.201
root#192.168.1.201's password: [oracle#BTMVNSRV191 Desktop]$
Could someone let me know, how to use expect in my script without changing #!/bin/bash to #!/usr/bin/expect?
The following works as a single line of bash script in OS X Terminal. It was only intended for use on a firewall protected LAN. Further details at my original post.
expect -c 'spawn ssh -o StrictHostKeyChecking=no remote-user#remote-IP;
expect assword; send remote-password\r; expect remote-user$;
send "sudo shutdown -h +1\r"; expect assword; send remote-password\r; interact'
ssh (and any other password reading tool) reads its password not from its standard input. It uses some tricky ioctl()-s on its terminal device. This is because you can't give them your password in a pipe.
It is not really a big problem, because widely used cleartext passwords caused more harm as if sometimes we need to find some alternative, password-less solution.
In cases of the ssh, there is a very simple thing for that. Google for ssh-keygen. I suggest to use that, configure a passwordless ssh and everything will be fine.
*Please do not pile on and tell me to just use SSH keys. If it bugs you that this is the way I am doing it, pretend that I am trying to telnet in instead. :-) *
I am using an expect script to run some routine commands on a set of servers under my control via ssh. The script should run set of commands (eg svn update ~/folderx\r") on each of the machines. My current script does everything I want it to do... sometimes. Other times it exits the ssh connection before it completes one of the last few commands.
Any thoughts on how I can make the connection stay until all of the commands are completed? The code below successfully logs on, successfully runs the first two commands or so (ap-get update and one of the svn updates) and then disconnects.
#!/usr/bin/expect -f
spawn ssh username#ipaddress
set timeout -1
expect "Are you sure you want to continue connecting" {send "yes\r"; exp_continue} "password:" {send "*******\r"; exp_continue
} "username#machine" {send "sudo apt-get update\r"}
expect "password" {send "*******\r"; exp_continue} "username#machine" {send "sudo svn update ~/folder1\r"}
expect "password" {send "*******\r"; exp_continue} "username#machine" {send "sudo svn update ~/folder2\r"}
expect "password" {send "*******\r"; exp_continue} "username#machine" {send "sudo svn update ~/folder3\r"}
expect "password" {send "*******\r"; exp_continue} "username#machine" {send "sudo reboot\r"}
close
Using Expect is generally the wrong way to do this kind of thing.
The right way is to set up ssh keys so that you can ssh and run commands on the remote machine without supplying a password. Here's how to do that:
0. Create public/private key pair on local machine.
(Only needs to be done once on local machine for all remote machines.)
Go to the ~/.ssh directory on your local machine and do this:
% ssh-keygen -t rsa
1. Copy the public key to the remote machine:
% scp ~/.ssh/id_rsa.pub you#foo.com:.
2. Append that key to the authorized_keys file on the remote machine:
% ssh you#foo.com 'cat id_rsa.pub >> .ssh/authorized_keys; /bin/rm id_rsa.pub'
3. Finally, in case it doesn't work, check permissions, which must be just so:
(or maybe it's just that they can't be group/world writeable)
% cd ~; ls -ld . .ssh .ssh/authorized_keys
drwxr-xr-x .
drwxr-xr-x .ssh
-rw-r--r-- .ssh/authorized_keys
Here's a script that does the above in one fell swoop:
http://jakehofman.com/code/sshkey
You can then run commands on the remote machine like so:
ssh alice#remote.com ./foo args
To run commands on the remote machine with sudo, however, may be another story.
Hopefully others can chime in about that.
But as a first step you should avoid Expect for the initial login.
It turns out that the reason it was exiting earlier was that the prompt pattern that I was matching against matched not only the prompt, but also some of the output from the svn commands I was running. I was matching against only the "username" portion of the prompt pattern (the prompt form was "username#machine:~$"). Once I altered the script to match only "username#" it began to work as expected.
p.s. the ssh script that dreeves links to above works very nicely.