Here is what I know:
echo "password" | sudo SOME_COMMAND
The above mentioned command will log in as root directly in Bash shell and run SOME_COMMAND.
What I am trying to do:
I want to perform same task, but from a remote machine. For that I want to pass the password as a variable via an SSH command. Something like this:
ssh -o PASSWORD=password user#hostA 'echo $PASSWORD | sudo SOME_COMMAND'
(Reference: When ssh'ing, how can I set an environment variable on the server that changes from session to session?)
But it doesn't pass the $PASSWORD variable.
How can I do it?
Simple summary:
Here is what I want to do:
I want to pass a variable to remote host when I log in through SSH so I can access it in the remote host script.
You can use the sshpass utility to do this task.
But this is not a secure way; your password is not in an encrypted format.
Reference: sshpass: Login To SSH Server / Provide SSH Password Using A Shell Script
You should not use sudo and ssh in one line. Here is a discussion and solution that I was answering yesterday on Super User.
To pass a variable though a pipe you can do the following...
echo "Hello, World!" | ssh USER#HOST cat
Other methods would be passing files via scp or rsync.
Related
I've been working on a bash script that automatically runs certain scripts on remote machines and saves the logs to certain folders. As of now I have been copying the local script to the remote machine, executing it into a remote log, copying the remote log into a local folder, and then deleting the remote log and remote copy of the script.
This works, but I know it can work better if I can avoid doing all the in between steps. The one caveat is I need this to be automatic and passwordless (meaning no user input at all). One of the scripts needs to be ran as root or it won't display all the necessary information and will userlock the machine temporarily.
The code I am currently using to execute the remoteScript into a log that I later retrieve with scp is below.
sshpass -f password.txt ssh user#1.1.1.1 "echo $password | sudo -S /home/user/remoteScript.sh > remoteLog.txt"
And in my testing, execution of local script on remote machine into local log file works like below
sshpass -f password.txt ssh user#1.1.1.1 "bash -s" < /home/user/localScript.sh >> localLog.txt
How could I combine the elements of the two code examples above in order to make a local script run on a remote machine with root privilege and log the output into a local text file?
Some things I have tried that do not work include:
sshpass -f password.txt ssh user#1.1.1.1 "bash -s" < "echo $password | sudo -S /home/user/script.sh >> log.txt"
sshpass -f password.txt ssh user#1.1.1.1 "echo $password | sudo -S /home/user/script.sh" >> log.txt
and notably
sshpass -f password.txt ssh user#1.1.1.1 echo $password | sudo -S /home/user/script.sh >> log.txt
which just executes the local script with root privilege on the local machine.
I have tried many variations of the above commands and I believe its some sort of piping or flow issue but I cannot figure it out. Is there anyway to do this?
Machines are Ubuntu 16.04 and you cannot ssh in already as root.
Thanks in advance
A) It might be worth looking into an orchestration/config management solution (e.g. ansible). It's a steep learning curve at first, but initial outlay will pay off on spades down the line if you're managing multiple servers.
B) Setup password-less sudo for the scripts you want to execute, so you don't have to pass around the password in plaintext, and can run without any input. In sudoers:
user ALL=(ALL) NOPASSWD:/home/user/script.sh
C) Setup an SSH key, so you don't need to use a password at all.
But in nutshell, the code you're looking for is something like:
cat /home/user/localScript.sh | ssh user#1.1.1.1 "sudo bash" > log.txt
Which executes a non-interactive bash shell as root on the remote machine, which will take commands to execute on standard in, and the standard output will come back over the ssh channel for you to write to your local log.
Look into &> or 2>&1 if you want standard error too.
How can you make SSH read the password from stdin, which it doesn't do by default?
based on this post you can do:
Create a command which open a ssh session using SSH_ASKPASS (seek SSH_ASKPASS on man ssh)
$ cat > ssh_session <<EOF
export SSH_ASKPASS="/path/to/script_returning_pass"
setsid ssh "your_user"#"your_host"
EOF
NOTE: To avoid ssh to try to ask on tty we use setsid
Create a script which returns your password (note echo "echo)
$ echo "echo your_ssh_password" > /path/to/script_returning_pass
Make them executable
$ chmod +x ssh_session
$ chmod +x /path/to/script_returning_pass
try it
$ ./ssh_session
Keep in mind that ssh stands for secure shell, and if you store your user, host and password in plain text files you are misleading the tool an creating a possible security gap
You can use sshpass which is for example in the offical debian repositories. Example:
$ apt-get install sshpass
$ sshpass -p 'password' ssh username#server
You can't with most SSH clients. You can work around it with by using SSH API's, like Paramiko for Python. Be careful not to overrule all security policies.
Distilling this answer leaves a simple and generic script:
#!/bin/bash
[[ $1 =~ password: ]] && cat || SSH_ASKPASS="$0" DISPLAY=nothing:0 exec setsid "$#"
Save it as pass, do a chmod +x pass and then use it like this:
$ echo mypass | pass ssh user#host ...
If its first argument contains password: then it passes its input to its output (cat) otherwise it launches whatver was presented after setting itself as the SSH_ASKPASS program.
When ssh encounters both SSH_ASKPASS AND DISPLAY set, it will launch the program referred to by SSH_ASKPASS, passing it the prompt user#host's password:
An old post reviving...
I found this one while looking for a solution to the exact same problem, I found something and I hope someone will one day find it useful:
Install ssh-askpass program (apt-get, yum ...)
Set the SSH_ASKPASS variable (export SSH_ASKPASS=/usr/bin/ssh-askpass)
From a terminal open a new ssh connection without an undefined TERMINAL variable (setsid ssh user#host)
This looks simple enough to be secure but did not check yet (just using in a local secure context).
Here we are.
FreeBSD mailing list recommends the expect library.
If you need a programmatic ssh login, you really ought to be using public key logins, however -- obviously there are a lot fewer security holes this way as compared to using an external library to pass a password through stdin.
a better sshpass alternative is :
https://github.com/clarkwang/passh
I got problems with sshpass, if ssh server is not added to my known_hosts sshpass will not show me any message, passh do not have this problem.
I'm not sure the reason you need this functionality but it seems you can get this behavior with ssh-keygen.
It allows you to login to a server without using a password by having a private RSA key on your computer and a public RSA key on the server.
http://www.linuxproblem.org/art_9.html
I want to transfer some files from my local to remote, like github does it. I want to happend it very smooth like in shell script. I tried creating one shell script which automates the process of ssh authentication without password but for first time it exposes my remote server password. I dont want to do it that way. Like in git we can't see their server password. Is there any possible way that we can do ?
I used this article script to automate ssh login. http://www.techpaste.com/2013/04/shell-script-automate-ssh-key-transfer-hosts-linux/
As i mentioned, you can use the scp command, like this:
scp /local_dir/some*.xml remote_user#remote_machine:/var/www/html
This requires that you need connect to the remote machine without password, only with ssh key-authentication.
Here is a link: http://linuxproblem.org/art_9.html to help you.
The important steps: (automatic login from host A / user a to Host B / user b.)
a#A:~> ssh-keygen -t rsa
a#A:~> ssh b#B mkdir -p .ssh
a#A:~> cat .ssh/id_rsa.pub | ssh b#B 'cat >> .ssh/authorized_keys'
#!/bin/csh
ssh -o StrictHostKeyChecking=no xyz123#remotemachine.com
sudo -su rootuser
ksh
. /mydir/setup_env.ksh
ls -ltr
Above is the list of task i need to do.
Login into remote machine without password prompt
Run Sudo to get access to Root
Change shell to ksh
execute a script (setup_env.ksh)
List files using ls -ltr
When i execute this script from , lets say localunixmachine.com...
It ask me for password
once i enter password , it will transfer to remote machine but wont execute remaining commands
If i exit from remote session, it will execute remaining command.
Can you please Guide me whats the best way to accomplish what i am trying here.
first you can copy your ssh public key which you can generate ssh-keygen to authorized_keys to the remote server root/.ssh/authorized_keys
and then the script will be
ssh root#remotemachine.com "/bin/ksh mydir/setup_env.ksh"
I think this should work for executing multiple commands remotely:
#!/bin/bash
ssh -o StrictHostKeyChecking=no xyz123#remotemachine.com <<EOF
sudo -su rootuser
ksh
. /mydir/setup_env.ksh
ls -ltr
EOF
As for login to the server without password, you need to setup ssh authentication with keys.
Is there any way to login to another machine specifying the password in the script itself??
SSH-keygen wont work for me so i need to specify it in the script
#!/bin/sh
ssh root#201.1.192.21 mysqldump -uroot -pxxxxxx > backup/a.sql
You can use expect.