[sudo-users] sudo-users Digest, Vol 187, Issue 4

Larry Becke guyverdh at gmail.com
Sun Oct 7 11:54:58 MDT 2018

You can either setup sudo to allow a specific user to execute a list of 
known commands without password, or you can pass the password through 
standard input by using the -S parameter...

What i've done in the past is place the password into an environment 
variable carried through the ssh command, tied to a specific ssh-key, 
with the "command" set to a job-runner script and the parameter for a 
script to run by the runner.

Note:  When setting ssh session to run commands via ssh keys, make sure 
to use -tt instead of -t for the ssh session.   The double t version 
forces the terminal session to tie to a tty whereas the single t doesn't 
always force it correctly.

It reads the environment variable, destroys it (unset variablename), 
then echos the password to a sudo command to generate the sudo cert 
instantly, then it runs the real job sudo command without password 
requirements as it is within the time limit of the sudo certificate.

Once execution has completed, the ssh session ends.

It sounds more complicated than it is, but it works very well.

On 10/6/2018 1:00 PM, sudo-users-request at sudo.ws wrote:
> Send sudo-users mailing list submissions to
> 	sudo-users at sudo.ws
> To subscribe or unsubscribe via the World Wide Web, visit
> 	https://www.sudo.ws/mailman/listinfo/sudo-users
> or, via email, send a message with subject or body 'help' to
> 	sudo-users-request at sudo.ws
> You can reach the person managing the list at
> 	sudo-users-owner at sudo.ws
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of sudo-users digest..."
> Today's Topics:
>     1. Re: Sudo Remote Hosts (Daniele Palumbo)
> ----------------------------------------------------------------------
> Message: 1
> Date: Sat, 6 Oct 2018 02:27:51 +0200
> From: Daniele Palumbo <daniele at retaggio.net>
> To: Johnathan Smith <1johnathan.smith at gmail.com>
> Cc: sudo-users at sudo.ws
> Subject: Re: [sudo-users] Sudo Remote Hosts
> Message-ID: <3DF42EF7-3CB0-4073-B7C3-74FC4486BCA5 at retaggio.net>
> Content-Type: text/plain; charset="utf-8"
> Il giorno 02 ott 2018, alle ore 21:48, Johnathan Smith <1johnathan.smith at gmail.com> ha scritto:
>> I was wondering if there are plans for the sudoers policy to support
>> executing commands on a remote host through thr "--host" option.
>> If there are no upcoming plans to implement this option,  alternative
>> suggestions to would be greatly appreciated.
> As already suggested, you may leverage on ssh keys, using sudo to execute commands.
> Or, likely, you wish to use something like puppet, ansible, salt, ... (randomly choosen list).
> Basically, executing something ?off this server? is a matter of automation, not of privilege elevation.
> Have fun,
> Daniele
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: signature.asc
> Type: application/pgp-signature
> Size: 195 bytes
> Desc: Message signed with OpenPGP using GPGMail
> URL: <http://www.sudo.ws/pipermail/sudo-users/attachments/20181006/1a6e7f41/attachment-0001.bin>
> ------------------------------
> Subject: Digest Footer
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> https://www.sudo.ws/mailman/listinfo/sudo-users
> ------------------------------
> End of sudo-users Digest, Vol 187, Issue 4
> ******************************************

More information about the sudo-users mailing list