I am developping and application that connect through ssh to a host and
then try to launch a command with sudo.
I am using the net/ssh library, and I use the key-rsa authentication to
connect (so no password needed).
···
------
Net::SSH.start(host.name) do |session|
shell = session.shell.sync
shell.send_command("sudo ps -ef")
shell.exit
end
end
------
So the code is locked to the send_command as the host is waiting me to
fill the password. But I don't find anyway of filling it. ".send_data"
doesn't work.
If you are truly using key authentication, you should not be prompted for a
password. Since you are being prompted, you will either need to use a
"here" document or expect to provide the password.
Ron
···
On 8/28/06, Damien Damien <mr.damien@hotmail.com> wrote:
Hi all,
I am developping and application that connect through ssh to a host and
then try to launch a command with sudo.
I am using the net/ssh library, and I use the key-rsa authentication to
connect (so no password needed).
------
Net::SSH.start(host.name) do |session|
shell = session.shell.sync
shell.send_command("sudo ps -ef")
shell.exit
end
end
------
So the code is locked to the send_command as the host is waiting me to
fill the password. But I don't find anyway of filling it. ".send_data"
doesn't work.
------
Net::SSH.start(host.name) do |session|
shell = session.shell.sync
shell.send_command("sudo ps -ef")
shell.exit
end
end
------
So the code is locked to the send_command as the host is waiting me to
fill the password. But I don't find anyway of filling it. ".send_data"
doesn't work.
Did I missed something ?
The host is waiting for the ssh password or the sudo password? It may not
meet your security requirements, but you could configure sudoers to allow
that one user to run that small number of commands without a password:
The problem is that his script is waiting for the sudo password, not the
ssh password.
You can set the sudoers file to not require a password for certain users
(or groups, or commands, whatever) with the NOPASSWD flag. Check the
sudoers man page for more.
Ben
···
On Mon, Aug 28, 2006, Ron Reidy wrote:
Damien,
If you are truly using key authentication, you should not be prompted for a
password. Since you are being prompted, you will either need to use a
"here" document or expect to provide the password.
fill the password. But I don't find anyway of filling it. ".send_data"
doesn't work.
Did I missed something ?
The host is waiting for the ssh password or the sudo password? It may
not
meet your security requirements, but you could configure sudoers to
allow
that one user to run that small number of commands without a password:
Hi all,
Thanks for your answers. The script was waiting for the sudo password.
I thought there was a way to provide the password manually with ruby but
it seems that there is not.
So I modified the sudoers for not asking password.
there is a way to pass the password in using sudo. I forget the syntax but the man page should have it. If you're still curious tomorrow, I'll dig up some code I wrote to do exactly this.
Matt
···
On 28-Aug-06, at 12:20 PM, MR Damien wrote:
unknown wrote:
fill the password. But I don't find anyway of filling it. ".send_data"
doesn't work.
Did I missed something ?
The host is waiting for the ssh password or the sudo password? It may
not
meet your security requirements, but you could configure sudoers to
allow
that one user to run that small number of commands without a password:
Hi all,
Thanks for your answers. The script was waiting for the sudo password.
I thought there was a way to provide the password manually with ruby but
it seems that there is not.
So I modified the sudoers for not asking password.
FWIW, I can't for the life of me find any options in man sudo (on an
Ubuntu Dapper) which allows the password to be given as an arg. The
only possibility might the the -a option
-a The -a (authentication type) option causes sudo to use the specified
authentication type when validating the user, as allowed by
/etc/login.conf. The system administrator may specify a list of
sudo-specific authentication methods by adding an "auth-sudo" entry
in /etc/login.conf. This option is only available on systems
that support
BSD authentication where sudo has been configured with the
--with-bsdauth option.
This MAY allow it but it seems to require a specific system configuration.
···
On 9/7/06, Matt Rose <mattrose@folkwolf.net> wrote:
there is a way to pass the password in using sudo. I forget the
syntax but the man page should have it. If you're still curious
tomorrow, I'll dig up some code I wrote to do exactly this.
On my system, according to man sudo, -S causes sudo to read the
password from STDIN.
-A
···
On 9/7/06, Matt Rose <mattrose@folkwolf.net> wrote:
there is a way to pass the password in using sudo. I forget the
syntax but the man page should have it. If you're still curious
tomorrow, I'll dig up some code I wrote to do exactly this.
You can use a here document to pass the password, or use expect.
rr
···
On 9/8/06, Rick DeNatale <rick.denatale@gmail.com> wrote:
On 9/7/06, Matt Rose <mattrose@folkwolf.net> wrote:
> there is a way to pass the password in using sudo. I forget the
> syntax but the man page should have it. If you're still curious
> tomorrow, I'll dig up some code I wrote to do exactly this.
FWIW, I can't for the life of me find any options in man sudo (on an
Ubuntu Dapper) which allows the password to be given as an arg. The
only possibility might the the -a option
-a The -a (authentication type) option causes sudo to use the specified
authentication type when validating the user, as allowed by
/etc/login.conf. The system administrator may specify a list of
sudo-specific authentication methods by adding an "auth-sudo" entry
in /etc/login.conf. This option is only available on systems
that support
BSD authentication where sudo has been configured with the
--with-bsdauth option.
This MAY allow it but it seems to require a specific system configuration.
On 9/8/06, Alex LeDonne <aledonne.listmail@gmail.com> wrote:
On 9/7/06, Matt Rose <mattrose@folkwolf.net> wrote:
> there is a way to pass the password in using sudo. I forget the
> syntax but the man page should have it. If you're still curious
> tomorrow, I'll dig up some code I wrote to do exactly this.
>
> Matt
On my system, according to man sudo, -S causes sudo to read the
password from STDIN.
On 9/8/06, Alex LeDonne <aledonne.listmail@gmail.com> wrote:
On 9/7/06, Matt Rose <mattrose@folkwolf.net> wrote:
> there is a way to pass the password in using sudo. I forget the
> syntax but the man page should have it. If you're still curious
> tomorrow, I'll dig up some code I wrote to do exactly this.
>
> Matt
On my system, according to man sudo, -S causes sudo to read the
password from STDIN.
Yep, missed that one.
So:
echo secretPasswd | ssh -S command...
should do the trick
And hope no one does a ps -a at the time and get account pwd.
Might be best to use separate account with sudo privs without need of pwd.
Except this was [implicitly] in the context of executing the command
from within a program.
It's an interesting thought though I'm not even sure that it's an
issue if issued from the command line, this is on linux:
rick@frodo:/public/rubyscripts$ echo hello world | ruby -e
"sleep(10);puts readlines.join(' ').chomp" & ps aux | grep hello
[1] 5136
rick 5138 0.0 0.1 2876 808 pts/2 S+ 16:27 0:00 grep hello
rick@frodo:/public/rubyscripts$ hello world
Where the hello world showed up after the command prompt 10 seconds later.
···
On 9/15/06, Thomas <notpublic@not.public> wrote:
Rick DeNatale wrote:
> On 9/8/06, Alex LeDonne <aledonne.listmail@gmail.com> wrote:
>> On 9/7/06, Matt Rose <mattrose@folkwolf.net> wrote:
>> > there is a way to pass the password in using sudo. I forget the
>> > syntax but the man page should have it. If you're still curious
>> > tomorrow, I'll dig up some code I wrote to do exactly this.
>> >
>> > Matt
>>
>> On my system, according to man sudo, -S causes sudo to read the
>> password from STDIN.
>
> Yep, missed that one.
>
> So:
>
> echo secretPasswd | ssh -S command...
>
> should do the trick
>
And hope no one does a ps -a at the time and get account pwd.
Might be best to use separate account with sudo privs without need of pwd.
Sry, was really a backbone answer without thought.
One of the old hazards with using passwords on any kind of command line
is the risk of exposing it. I just never do it to be sure. I do not know
how big the risk really is today with current tools. Good old days was
full of shellscripts with all kind of obscure environment variables and
other crap.
On the other hand i do not see the problem with invoking it password
free, even if it's within a app. Specific account, ssh logon via
embedded pwd or (even better if supported) keyfile. Sudo without
password. Sounds solid to me without the need to risk/expose anything.
And since you ssh anyway, you don't need to stay in the boundaries of
same account.
Well, perhaps a dead horse anyhow, hope the original issue have been
resolved. This is after all not a Ruby-specific issue but rather a linux
opinion thingy.
Still learning Ruby, and having lots of fun.
/Thomas
Rick DeNatale wrote:
···
On 9/15/06, Thomas <notpublic@not.public> wrote:
Rick DeNatale wrote:
> On 9/8/06, Alex LeDonne <aledonne.listmail@gmail.com> wrote:
>> On 9/7/06, Matt Rose <mattrose@folkwolf.net> wrote:
>> > there is a way to pass the password in using sudo. I forget the
>> > syntax but the man page should have it. If you're still curious
>> > tomorrow, I'll dig up some code I wrote to do exactly this.
>> >
>> > Matt
>>
>> On my system, according to man sudo, -S causes sudo to read the
>> password from STDIN.
>
> Yep, missed that one.
>
> So:
>
> echo secretPasswd | ssh -S command...
>
> should do the trick
>
And hope no one does a ps -a at the time and get account pwd.
Might be best to use separate account with sudo privs without need of
pwd.
Just my 0.02 cents
Except this was [implicitly] in the context of executing the command
from within a program.
It's an interesting thought though I'm not even sure that it's an
issue if issued from the command line, this is on linux:
rick@frodo:/public/rubyscripts$ echo hello world | ruby -e
"sleep(10);puts readlines.join(' ').chomp" & ps aux | grep hello
[1] 5136
rick 5138 0.0 0.1 2876 808 pts/2 S+ 16:27 0:00 grep hello
rick@frodo:/public/rubyscripts$ hello world
Where the hello world showed up after the command prompt 10 seconds later.
Sry, was really a backbone answer without thought.
One of the old hazards with using passwords on any kind of command line
is the risk of exposing it. I just never do it to be sure. I do not know
how big the risk really is today with current tools. Good old days was
full of shellscripts with all kind of obscure environment variables and
other crap.
On the other hand i do not see the problem with invoking it password
free, even if it's within a app. Specific account, ssh logon via
embedded pwd or (even better if supported) keyfile. Sudo without
password. Sounds solid to me without the need to risk/expose anything.
And since you ssh anyway, you don't need to stay in the boundaries of
same account.
Well, perhaps a dead horse anyhow, hope the original issue have been
resolved. This is after all not a Ruby-specific issue but rather a linux
opinion thingy.
Still learning Ruby, and having lots of fun.
/Thomas
Rick DeNatale wrote:
···
On 9/15/06, Thomas <notpublic@not.public> wrote:
Rick DeNatale wrote:
> On 9/8/06, Alex LeDonne <aledonne.listmail@gmail.com> wrote:
>> On 9/7/06, Matt Rose <mattrose@folkwolf.net> wrote:
>> > there is a way to pass the password in using sudo. I forget the
>> > syntax but the man page should have it. If you're still curious
>> > tomorrow, I'll dig up some code I wrote to do exactly this.
>> >
>> > Matt
>>
>> On my system, according to man sudo, -S causes sudo to read the
>> password from STDIN.
>
> Yep, missed that one.
>
> So:
>
> echo secretPasswd | ssh -S command...
>
> should do the trick
>
And hope no one does a ps -a at the time and get account pwd.
Might be best to use separate account with sudo privs without need of
pwd.
Just my 0.02 cents
Except this was [implicitly] in the context of executing the command
from within a program.
It's an interesting thought though I'm not even sure that it's an
issue if issued from the command line, this is on linux:
rick@frodo:/public/rubyscripts$ echo hello world | ruby -e
"sleep(10);puts readlines.join(' ').chomp" & ps aux | grep hello
[1] 5136
rick 5138 0.0 0.1 2876 808 pts/2 S+ 16:27 0:00 grep hello
rick@frodo:/public/rubyscripts$ hello world
Where the hello world showed up after the command prompt 10 seconds later.
Sry, was really a backbone answer without thought.
One of the old hazards with using passwords on any kind of command line
is the risk of exposing it. I just never do it to be sure. I do not know
how big the risk really is today with current tools. Good old days was
full of shellscripts with all kind of obscure environment variables and
other crap.
On the other hand i do not see the problem with invoking it password
free, even if it's within a app. Specific account, ssh logon via
embedded pwd or (even better if supported) keyfile. Sudo without
password. Sounds solid to me without the need to risk/expose anything.
And since you ssh anyway, you don't need to stay in the boundaries of
same account.
Well, perhaps a dead horse anyhow, hope the original issue have been
resolved. This is after all not a Ruby-specific issue but rather a linux
opinion thingy.
Still learning Ruby, and having lots of fun.
/Thomas
Rick DeNatale wrote:
···
On 9/15/06, Thomas <notpublic@not.public> wrote:
Rick DeNatale wrote:
> On 9/8/06, Alex LeDonne <aledonne.listmail@gmail.com> wrote:
>> On 9/7/06, Matt Rose <mattrose@folkwolf.net> wrote:
>> > there is a way to pass the password in using sudo. I forget the
>> > syntax but the man page should have it. If you're still curious
>> > tomorrow, I'll dig up some code I wrote to do exactly this.
>> >
>> > Matt
>>
>> On my system, according to man sudo, -S causes sudo to read the
>> password from STDIN.
>
> Yep, missed that one.
>
> So:
>
> echo secretPasswd | ssh -S command...
>
> should do the trick
>
And hope no one does a ps -a at the time and get account pwd.
Might be best to use separate account with sudo privs without need of
pwd.
Just my 0.02 cents
Except this was [implicitly] in the context of executing the command
from within a program.
It's an interesting thought though I'm not even sure that it's an
issue if issued from the command line, this is on linux:
rick@frodo:/public/rubyscripts$ echo hello world | ruby -e
"sleep(10);puts readlines.join(' ').chomp" & ps aux | grep hello
[1] 5136
rick 5138 0.0 0.1 2876 808 pts/2 S+ 16:27 0:00 grep hello
rick@frodo:/public/rubyscripts$ hello world
Where the hello world showed up after the command prompt 10 seconds later.