[sudo-users] Password handling through remote SSH session

[Gabe Alford]

On Wed, Aug 14, 2019 at 1:09 PM Todd C. Miller <Todd.Miller at sudo.ws> wrote:

> On Wed, 14 Aug 2019 12:10:20 -0600, Gabe Alford wrote:
>
> > I have a QT application that logs into a remote machine through SSH. I
> need
> > to handle password authentication in sudo to run administrative commands.
> > What's the best way of handling a password prompt remotely with sudo? I
> > would like to have the QT application just pass the password to sudo in
> > some way so there is still human interaction involved. Just not sure what
> > is the best way or if there is a programatic way.
>
> One option would be to use sudo's -S option that reads the passsword
> from the standard input instead of /dev/tty.
>
> However, if you can make use of the "askpass" method that is probably
> better.  To do this, you set the SUDO_ASKPASS environment variable
> to the path of a helper program and run sudo with the -A flag.  If
> a password is required, sudo will run the helper program specified
> in SUDO_ASKPASS as the invoking user.
>
> The helper receives the prompt as its only argument and it should
> write the password to the standard output.  This is similar to the
> ssh askpass functionality and the same helper program should work
> with either one.
>

Sorry for the delayed response. Got distracted with other assignments.

Correct me if I am wrong (probably am), but doesn't SUDO_ASKPASS have to be
set on the remote host?
Wouldn't that require the DISPLAY environment variable to be set if needing
to have a graphical prompt?
As I cannot guarantee that DISPLAY would be set or X allowing remote
displays, would my only option
then be to use something like Popen and sudo's -S option?
Asking out of my own ignorance of all the ways to use and configure sudo.


>  - todd
>