1

I am trying to write a bash script to login to ssh and login to sudo

SSH login works fine , but i am facing problem while logging to sudo.This is my command

ssh -tt empId@env.linuxbox.com << EOF
echo "Password\n" | sudo -S su - airbust 
cd ../builds
EOF

i)I am getting the error as Empty Password is provided

ii)The userName which i provided is 'airbust' whereas its taking userName as 'empId'

S su - airbustpost-lapp1941(Linux-RENO::TEST):/tmp]$ echo "Password\n" | sudo - 
[sudo] password for : Sorry, try again.
[sudo] password for empId: 
sudo: no password was provided
sudo: 1 incorrect password attempt
Vijay Manohar
  • 473
  • 1
  • 7
  • 22
  • Does this answer your question? [How to supply sudo with password from script?](https://stackoverflow.com/questions/24892382/how-to-supply-sudo-with-password-from-script) – Nico Haase Apr 26 '21 at 14:16
  • Or this? https://stackoverflow.com/questions/233217/how-to-pass-the-password-to-su-sudo-ssh-without-overriding-the-tty – Nico Haase Apr 26 '21 at 14:16
  • @NicoHaase i can't use visudo because i can't harcode my password in a file.Also i tried echo myPassword | sudo -S su - airbust which is similar to sudo -S ls /tmp .But Switch User is not executing like ls command.So still i am facing the problem – Vijay Manohar Apr 26 '21 at 14:39
  • Note, when you run `sudo` you have to provide the password of the current user, so in your case sudo wants empId's password. – meuh Apr 26 '21 at 15:54
  • @meuh when i run it manually in terminal , i provide the password of airbust . Ex: sudo su - airbust ; [sudo] password for airbust: Password – Vijay Manohar Apr 26 '21 at 15:59

2 Answers2

0

First off, is your 'airburst' user permitted to use sudo? You did not mention if it was working on your target system.

If not, everything is going to fail anyways. If I recall, sudo will even prompt for a password if you are not a permitted user or group and tell you afterwords that you dont have permissions to use sudo. You might need to check the settings in /etc/sudoers and the includes in /etc/sudoers.d, configure a group with some commands. The /etc/sudoers file actually has some commented setups that you can easily massage to your needs.

I got an analog of the scenario working using the bash built-in 'read'. Here is the short script that worked for me.

#!/bin/bash
read -s -p "pass? "
sudopas=${REPLY}; unset REPLY
#echo $sudopas | $(which sudo) --stdin ls -l /root/tmp
$(which sudo) ls -l /root/tmp
unset sudopas

To break this down; The read command grabs the password from the user through the 'pass?' prompt, that string is dumped into a variable. The $REPLY variable is unset (cleared). Then run sudo with the command we want. Then the variable containing the password is unset.

And when you run the command from another host;

$ ssh -t REMOTE_HOST '/bin/sh test.sh'
pass? total 0
-rw-r--r-- 1 root root 0 Apr 27 14:38 file1
-rw-r--r-- 1 root root 0 Apr 27 14:38 file2
-rw-r--r-- 1 root root 0 Apr 27 14:38 file3
-rw-r--r-- 1 root root 0 Apr 27 14:38 file4
Connection to REMOTE_HOST closed.

The ssh command line calls /bin/sh to execute the script. Using 'sudo --stdin' does work as well, but seems like its unnecessary since sudo already has that function. Using the 'sudo -t' flag should

Note that I have key based auth set up for my user between my testing hosts, hence no user and no password prompt for ssh. My user is in a primary group that is allowed to run commands using 'sudo', configured through /etc/sudoers.

z0th
  • 1
  • I can hardcode the sudo password in the script itself, after the sudo login action is performed, i wanted to perform some operations in the linux box , that's where i need help with – Vijay Manohar May 08 '21 at 02:02
0

You can make use of expect to automate it. You only have to install it on your computer. Below a small script that will automatically log in and executes sudo -S su -c 'whoami' and inserts the password.

#! /bin/bash

USER=user
HOST=server.org

read -s -p "Password  : " PASS
echo

expect 2>&1 <<-EOF
                set timeout -1
                spawn ssh ${USER}@${HOST}
                expect {
                        "yes/no" { send "yes\r"; exp_continue }
                        "*password: " { send "${PASS}\r" }
                }
                expect "*$ " { send "sudo -S su -c 'whoami'\r" }
                expect "*password for ${USER}: " { send "${PASS}\r" }
                expect "*$ " { send "exit 0\r" }
                expect eof
                catch wait result
                exit [lindex \$result 3]
EOF
exit $?

Additionally, with this code there is no need to echo a password to sudo over the command-line that will be part of your bash history. Instead, the password is send by expect over ssh to sudo just as a human would type it.

Example output:

$ ./expect.sh 

Password  : spawn ssh user@server.org
user@server.org's password: 

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue May 11 14:52:17 2021 from <some ip>
user@server:~$ sudo -S su -c 'whoami'
[sudo] password for user: 
root
user@server:~$ exit 0
logout
Connection to server.org closed.
$
Bayou
  • 3,293
  • 1
  • 9
  • 22