I'm trying to check if a user who connects to a linux server via SSH is authentificated using Active Directory (Centrify).
In case he uses a local account (located in /etc/passwd), I need to display a warning asking him to use his Active Directory account and then prompt login again.
My first attempt was using PAM module pam_script inside /etc/pam.d/login to execute a script that checks if the current username exists in /etc/passwd whenever a user log in, display a warning if found and call the login command again.
I added the following line to /etc/pam.d/login
session required pam_script.so runas=root
This line execute a script file located in /etc/security/onsessionopen which contain:
#!/bin/sh
username=$1
if [ $(grep -c '^'$username':' /etc/passwd) = 1 ]
then
echo "Warning, please user your AD credentials"
login
fi
But the same scenario didn't work in /etc/pam.d/sshd.
When using SSH the script does run but doesn't display text or prompt for login.
Any thoughts ?
Thank you
o's!
Maybe you can help me with this. I can't find an answer to my specific questions, because there is an obvious solution which I'm not allowed to use. But first things first, the context:
In my company, which is a service provider, we administrate a bunch of
Linux servers. Some of my colleagues has for a long time been running
a BASH script from a source server, that then performs some tasks over
SSH on a number of remote Linux servers. The tasks it performs has to
be executed as root, so what the script does is it authorizes the
source server as root on the remote Linux servers via SSH (the remote
servers has the source servers public SSH key). Then what happened is
a new security policy was enforced and now root login over SSH is
denied. So the mentioned method no longer works.
The solution I keep finding, which we are by policy not allowed to do, is to create an entry in the sudoers file allowing sudo to root without password for the specific user.
This is the terms and they have to obey that. The only procedure that is allowed is to log on to the target server with your personal user, and then sudo su - to root WITH password.
Cocky as I apparently was, I said, "It should be possible to have the script do that automatically", and the management was like "Cool, you do it then!" and now I'm here at Stack Overflow,
because I know this is where bright minds are.
So this is exactly what I want to do with a BASH script, and I do not know if it's possible or how it's done, I really hope you can help me out:
Imagine Bob, he's logged into the source server, and he wants to
execute the script against a target server. Knowing that root over SSH
doesn't work, the authorization part of the script has been upgraded.
When Bob runs the script, it prompts him for his password. The
password is then stored in a variable (encrypted would be amazing) and
the script then logs on the target server as his user (which is
allowed) and then automatically elevates him to root on the target
server using the password he entered on the source server. Now the
script is root and it runs its tasks as usual.
Can it be done with BASH? and how?
UPDATE:
The Script:
## define code to be run on the remote system
remote_script='sudo -S hostname'
## local system
# on the local machine: prompt the user for the password
read -r -p "Enter password for $host: " password
# ...and write the password, followed by a NUL delimiter, to stdin of ssh
ssh -t 10.0.1.40 "$remote_script" < <(printf '%s\0' "$password")
The error:
[worker#source ~]$ sh elevate.sh
Enter password for : abc123
elevate.sh: line 10: syntax error near unexpected token `<'
elevate.sh: line 10: `ssh -t 10.0.1.40 "$remote_script" < <(printf '%s\0' "$password")'
First: Because it exposes plaintext passwords to the remote system (where they can be read by an attacker using diagnostic tools such as strace or sysdig), this is less secure than correctly using the NOPASSWD: flag in sudoers. If your security team aren't absolute idiots, they'll approve a policy exemption (perhaps with some appropriate controls, such as having a dedicated account with access to a setuid binary specific to the command being run, with authentication to that account being performed via public key authentication w/ the private key stored encrypted) rather than approving use of this hack.
Second: Here's your hack.
## define code to be run on the remote system
remote_script='sudo -S remote_command_here'
## local system
# on the local machine: prompt the user for the password
read -r -p "Enter password for $host: " password
# ...and write the password, followed by a NUL delimiter, to stdin of ssh
ssh "$host" "$remote_script" < <(printf '%s\0' "$password")
Allright, this is not the final answer, but I think I'm getting close, with the great help of CharlesDuffy.
So far I can run the script without errors on a remote server, that already has the publickey of my source server. However the command I execute doesn't create a file as I tell it to on the remote system.
However the script seems to run and the password seems to be accepted by the remote system.
Also I have to change in the sudoers on the remote host the line "Defaults requiretty" to "Defaults !requiretty", else it will tell me that I need a TTY to run sudo.
#!/bin/bash
## define code to be run on the remote system
remote_script='sudo -S touch /elevatedfile'
## local system
# on the local machine: prompt the user for the password
read -r -p "Enter password for $host: " password
# ...and write the password, followed by a NUL delimiter, to stdin of ssh
ssh -T 10.0.1.40 "$remote_script" < <(printf '%s\0' "$password")
UPDATE: When I tail /var/log/secure on the remote host I get the following after executing the script, which seems like the password is not being accepted.
May 11 20:15:20 target sudo: pam_unix(sudo:auth): conversation failed
May 11 20:15:20 target sudo: pam_unix(sudo:auth): auth could not identify password for [worker]
May 11 20:15:20 target sshd[3634]: Received disconnect from 10.0.1.39: 11: disconnected by user
May 11 20:15:20 target sshd[3631]: pam_unix(sshd:session): session closed for user worker
What I see on the source server, from where I launch the script:
[worker#source ~]$ bash elevate.sh
Enter password for : abc123
[sudo] password for worker:
[worker#source ~]$
Just make a daemon or cron script running as root, that in turn will check for any new scripts in specified secure location (ie. DB that it only has READ access to), and if they exist, it will download and execute them.
I'm logging into a linux machine with root and after login i have used su - oracle to connect my database. Now I've 2 shell scripts one at root home and one at home/oracle. In the home/oracle I've wrote a script for taking the backup of the database. The script available in the root is nohup ssh oracle#onprem-svcdb /home/oracle/test.sh while running the script its asking the password of the oracle, I don't need it to be like this while running the scripts It doesn't need to ask the password and it needs to run the script in oracle. What I need to do for that??? Can anyone help for this
If I understand corrently, you are getting a password prompt on using a script which connects to your database and executes something. If you dont need a password prompt , you would need to generate public and private keys for ssh for the logged in user , in your linux machine and get it configured in the database. Please have a look at the below link
http://docs.oracle.com/cd/E19253-01/816-4557/sshuser-33/index.html
You can try the below
Let this be you env variables.
---------VARIABLES --------------
export APP_USER=something
export APP_PASS=somepass
export APP_SID=sid
Here is the script with a execute permission.
--------------SCRIPT TO RUN SQL----------
#!/usr/ksh
sqlplus << END_OF_SQL
$APP_USER/$APP_PASS#APP_SID
select * from dual;
END_OF_SQL
exit $?
----------END SCRIPT----------
Source : https://asktom.oracle.com/pls/asktom/f?p=100:11:0::::P11_QUESTION_ID:142212348066
you could try expect tool:
You will start expect script below, that will start your main sql-script in return and will send oracle password if prompted:
content of /tmp/expect.exp script:
#!/usr/bin/expect -f
# set Variables
set password '***'
set timeout -1
# what to execute
spawn /usr/bin/su oracle -c "/tmp/main_script.sh"
match_max 100000
# Look for passwod prompt
while {1 > 0 } {
expect "*?assword:*"
# Send password aka $password
send -- "$password\r"
}
# send blank line (\r) to make sure we get back to gui
send -- "\r"
expect eof
than your main script will be stored in (or root home, whatever dir you need):
/tmp/main_script.sh content:
su - oracle
drop table; create table; other SQL commands
One disadvantage is - plain text password, stored inside the script
How to install: http://www.cyberciti.biz/tips/execute-commands-on-multiple-hosts-using-expect-tool-part-iii.html
Or you could try to modify visudo , like :
user1 ALL=(user2) NOPASSWD: /bin/bash
where : user1 will be granted "su to user2" without password prompt. You can replace also /bin/bash by ALL and then you could launch any command as user2
On a linux server with different computers: is there a way to see all processes running from a given user on all machines?
Maybe it's too late for the answer, but for the records...
You can get it in this way:
hosts='192.168.1.x 192.168.1.y' # your hosts here
for host in $hosts; do
echo $host:
ssh some_user#$host 'ps -u given_user' # some_user for ssh, given_user for ps
done
In this way, you're creating an ssh session for each host:
ssh ... [user#]hostname [command]
If command is specified, command is executed on the remote host instead
of a login shell.
...and executing ps with the -u option:
-u userlist
Select by effective user ID (EUID) or name.
This selects the processes whose effective user name or ID is in userlist.
I am working in a network having hundreds of servers , I want to know on which server my user id has been logging through terminal .
Is there any linux command exist for this ?
If you have ssh access to all theses machines, try:
for server in `cat serverlist.txt`; do ssh -q -o "BatchMode yes" $server "echo `hostname`" >> serverreport.txt; done
where you replace <username> with the user.
[depending of the implementation of last you may have to adapt parameters for head/tail]
(command adopted using last <username> from Analyzing UID/GID conflicts)