How to run sudo commands remotely via ssh -t?

Question

I have a script that logs into a remote host via ssh -t and uses sudo service foo restart.

The requirement is to avoid the prompt for a password on the remote host. The remote host authenticates via SSH certificate. The sudoers file on the remote host allows that user to execute the service command with NOPASSWD.

However, during my tests, I'm prompted for a password and this is unacceptable. If I run this manually without the -t flag, it works. However the -t flag throws everything off.

Is there a way around this?

What do the authentication logs say? Typically `auth.log` or `secure` in `/var/log`. — jordanm, Jun 26 '13 at 02:10
Are you sure that `NOPASSWD` is set? Remember that [only the last match in `sudoers` counts](http://unix.stackexchange.com/questions/18830/how-to-run-a-specific-program-as-root-without-a-password-prompt). Also remember that if `sudo` doesn't prompt you for a password, it can be because of the cache, so make sure to flush it before each test with `sudo -k`. — Gilles 'SO- stop being evil', Jun 26 '13 at 23:39
What is the contents of the `NOPASSWD` line? Why is `-t` needed? Another option is to create a key for just that command, going directly to root , and use the `command=""` parameter in the `authorized_keys` file. (passswordless SSH keys allowing for a full root login can be a huge security risk...) — Gert van den Berg, Nov 02 '16 at 09:29

score 4 · Answer 1 · answered Jun 26 '13 at 15:26

Maybe disabling the requiretty option in sudoers and running ssh without the -t flag (or with -T) works.

Add something like this to sudoers (untested):

Defaults:{your ssh user} !requiretty

Combine that with the NOPASSWD you're already using and you should be able to run the sudo command without a pseudo-tty allocated.

You could also change requiretty for the command instead of the user.

score 0 · Answer 2 · answered May 19 '16 at 07:23

0

For me worked fine like this, but with notice about: Pseudo-terminal will not be allocated because stdin is not a terminal

ssh -t username@hostname1 << 'EOS'
sudo sh
hostname
EOS

Pseudo-terminal will not be allocated because stdin is not a terminal.
hostname1

answered May 19 '16 at 07:23

Ragnar Lodbrog

105
6

But you need key pair for it, if key pair with passphrase, you can use keychain – Ragnar Lodbrog May 19 '16 at 07:27

score 0 · Answer 3 · edited Jun 26 '13 at 14:17

0

Generate an SSH key and transfer it to the remote host.

Use the following command to generate an RSA SSH key

[root@localhost ~] ssh-keygen

Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):  Hit ENTER
Enter passphrase (empty for no passphrase): Hit ENTER
Enter same passphrase again: Hit ENTER

Find /root/.ssh/id_rsa.pub and transfer that key to remote using the following command:
```
ssh-copy-id -i /root/.ssh/id_rsa.pub root@remote:/root
```

Now try to login; it won't ask for your remote password.

edited Jun 26 '13 at 14:17

Michael Mrozek

91,316
38
238
232

answered Jun 26 '13 at 08:21

HamTheAstroChimp

190
2
12

We already have the ssh keys in their proper place. That part works. There's something about how ssh -t created a pseudotty that is affecting my ability to execute sudo commands where the user has NOPASSWD enabled. What's happening is that this script logs into a server, parses a list of severs that are our middleware servers, then does a ssh -t "sudo service middleware restart" operation via shell script. The problem is that when the script iterates through the list, user is prompted for password despite NOPASSWD set in the sudoers file. – dperry1973 Jun 26 '13 at 12:22

How to run sudo commands remotely via ssh -t?

3 Answers3