1

I am trying to automate some operations and one of such an operation is switching to a technical user on a remote Linux machine. The procedure looks like this: log in with a "normal" user and then switch with

sudo /bin/rootsh -i -u techUser

to the technical user.

Here's my Groovy code example that I am working on:

import com.jcraft.jsch.JSch
import com.jcraft.jsch.Session
import com.jcraft.jsch.Channel
import com.jcraft.jsch.ChannelExec
import com.jcraft.jsch.JSchException

class Main {
    static void main(String[] args) {
        int responseCode = 0
        String responseText = ""
        def targetHost = "targetHost"
        def targetUser = "targetUser"
        def technicalUser= "technicalUser"
        def targetPass = "targetPass"
        def targetPort = 22
        Properties configConnection = new Properties()
        configConnection.put("StrictHostKeyChecking", "no")
        configConnection.put("PreferredAuthentications", "publickey,keyboard-interactive,password")
        JSch jsch = new JSch()
        try {
            Session targetSession = jsch.getSession(targetUser, targetHost, targetPort)
            targetSession.setPassword(targetPass)
            targetSession.setConfig(configConnection)
            targetSession.connect()
            Channel channel = targetSession.openChannel("exec")
            ((ChannelExec) channel).setCommand("echo 'targetPass' | sudo -S -p /bin/rootsh -i -u technicalUser")
            ((ChannelExec) channel).setPty(true)
            final ByteArrayOutputStream baos = new ByteArrayOutputStream()
            ((ChannelExec) channel).setErrStream(baos)
            channel.setInputStream(null)
            InputStream is = channel.getInputStream()
            channel.connect()
            byte[] tmp = new byte[1024]
            while (true) {
                while (is.available() > 0) {
                    int i = is.read(tmp, 0, 1024)
                    if (i < 0)
                        break
                    responseText = new String(tmp, 0, i)
                }
                if (channel.isClosed()) {
                    responseText = new String(baos.toByteArray())
                    responseCode = channel.getExitStatus()
                    break
                }
                try {
                    Thread.sleep(1000);
                } catch (Exception ee) {
                    println("[ERROR] " + ee.getMessage())
                }
            }
            channel.disconnect()
            targetSession.disconnect()
            println("RESULT:  code: " + responseCode + ", text: \"" + responseText + "\"")
        } catch (JSchException e) {
            println("[ERROR] Exception, problem with connection: " + e.getMessage())
        }
    }
}

The result is:

RESULT:  code: 1, text: ""

When I set to

((ChannelExec) channel).setPty(false)

the result is:

RESULT:  code: 1, text: "/bin/rootshSorry, user targetUser is not allowed to execute '/bin/bash' as technicalUser on targetHost."

When I remove the password from the following line:

((ChannelExec) channel).setCommand("echo '' | sudo -S -p /bin/rootsh -i -u technichalUser")

The result is:

RESULT:  code: 1, text: "/bin/rootsh/bin/rootsh
Sorry, try again.
/bin/rootsh
/bin/rootsh
sudo: pam_authenticate: Authentication information cannot be recovered"

And when I set the following command:

((ChannelExec) channel).setCommand("sudo -S -p /bin/rootsh -i -u technichalUser")

There is no response at all as the process is running all the time (the process is waiting for password maybe)

If someone has already solved such an issue or a similar one, I would really appriciate any help.

Brandon X.
  • 85
  • 1
  • 10

1 Answers1

1

You cannot pass a password to sudo with input redirection, at least not with the default configuration.

Hence, this cannot work:

echo 'targetPass' | sudo -S -p /bin/rootsh -i -u technicalUser`

Did you even try it in the interactive terminal? I assume it would not work there either.

You have to write the password to the channel input stream (called "output stream" in JSch).

See the official JSch Sudo example.

You may need to enable TTY/PTY. See Use JSch sudo example and Channel.setPty for running sudo command on remote host.

Community
  • 1
  • 1
Martin Prikryl
  • 188,800
  • 56
  • 490
  • 992
  • Many thanks for a comprehensive explanation. The project has been cancelled so that I didn't continue the investigation on this issue. I suppose the tips you gave would help me with this, that's why I marked your answer as solution to this issue. I hope your tips will help other users. – Brandon X. Aug 28 '18 at 10:16