0

I want to ssh to remote server and then become its root user to perform some actions like password change. I am looking for a fully automated interactive ssh session with the remote host so that I can pass multiple interactive commands and see step-by-step what is going on. I have the following lines of code:


import paramiko
import time

command1 = "ls"
command2='echo <root password> | sudo su-'

client = paramiko.client.SSHClient()
client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
client.connect(host, username=username, password=password)
#Command 1
stdin, stdout,stderr = client.exec_command(command1)
print(stdout.read().decode())
stdin.flush()
#Command 2
stdin,stdout,stderr = client.exec_command(command2)
print(stderr.read().decode())
time.sleep(3)
stdin.flush()
#Command 3
stdin,stdout,stderr = client.exec_command('id')
print(stdout.read().decode())
client.close()

It can successfully ssh and display the 'ls' stdout. However for second command it shows error sudo: no tty present and no askpass program specified. If I modify using client.exec_command(command2,get_pty=True), I have no clue, as it runs indefinitely. Any help please.

mrin9san
  • 305
  • 1
  • 2
  • 12
  • 2
    `sudo` doesn't read passwords from stdin by default. It reads them direct from the TTY, so it won't see anything coming from a pipeline. (Whether you _have_ a TTY depends on how you're using paramiko, but `sudo` can be configured not to work at all when you don't). – Charles Duffy Sep 27 '22 at 19:57
  • Probably need a space in there for the case that the password may be read from stdin: `sudo su -` – Michael Ruth Sep 27 '22 at 19:59
  • 1
    Beyond that, each `exec_command` happens in a new shell independent from the others, so when you run `sudo su -` in one `exec_command` run (which you shouldn't ever do -- `sudo` can do everything `su` can, there's **never** a reason to combine them -- see `sudo -i` and `sudo -l`), the effects of that don't propagate to later `exec_command` runs. – Charles Duffy Sep 27 '22 at 19:59
  • Hi, edited the post, please see once now. – mrin9san Sep 27 '22 at 19:59
  • Yes, the error message in the edit tells you what I told you in my very first comment, that sudo doesn't read passwords from stdin by default and instead expects there to be a TTY. – Charles Duffy Sep 27 '22 at 20:01
  • When you _do_ provide a TTY, it's presumably sitting around waiting for there to be a password written to that TTY device. – Charles Duffy Sep 27 '22 at 20:02
  • 1
    ...have you thought about reconfiguring `/etc/sudoers` so you don't need a password for what you're running? Assuming this script is only going to run some specific commands you know are safe, just configure `sudo` to let the specific user you're running with run those specific commands without needing a password. – Charles Duffy Sep 27 '22 at 20:02
  • (of course, at that point you don't need `sudo` at all and can use audited, dedicated-purpose setuid or setgid executables instead -- just make sure you have competent security staff on hand to do that auditing). – Charles Duffy Sep 27 '22 at 20:03
  • (to restate my second comment, in case it wasn't clear: Even if you _do_ use `sudo` or `su` successfully in an `exec_command()` run, when you do another `exec_command()`, it starts a new and different shell, so whatever command it invokes isn't run under `sudo` or `su`'s escalation) – Charles Duffy Sep 27 '22 at 20:20
  • ...the OpenSSH command line equivalent to what you're doing is configuring `ControlMaster` and `ControlSocket` functionality, and then running `ssh somehost command1`, and then later `ssh somehost command2`. Even though ControlMaster makes both commands go over the same transport, they still each run in a different remote shell. – Charles Duffy Sep 27 '22 at 20:21
  • @CharlesDuffy, hi, thanx for comments, its not possible to configure `/etc/sudoers`. I changed the command to `su` to check for another linux distro, now error changed to `su: must be run from a terminal` as i gave `echo `. Ok, now to come to second cooment, so how to run commands in root then? Should i look deeper into paramiko docs , something like invoke shell may be? – mrin9san Sep 27 '22 at 20:39
  • 2
    There are approaches you could use, like `expect`-style automation of a long-lived single shell, but I consider almost all of those approaches bad practice. Much better to revisit whatever policy constraints stop you from having a SSH key (potentially locked down to be usable _only_ for the specific commands you need to run) that authenticates you directly to root, or stop you from having customized `/etc/sudoers`, or stops you from having a setuid wrapper around the code you want to remotely execute, etc. – Charles Duffy Sep 27 '22 at 21:27

0 Answers0