[sudo-users] Make sudo -S work with ssh -T
Todd C. Miller
Todd.Miller at sudo.ws
Thu Jun 23 07:49:35 MDT 2022
On Thu, 23 Jun 2022 13:03:24 +0800, Glen Huang wrote:
> However, if I simply change -t to -T
>
> ssh -T $host 'echo pw | sudo -Sv && sudo echo 1’
>
> sudo complains
>
> sudo: a terminal is required to read the password; either use the -S option t
> o read from standard input or configure an askpass helper
> sudo: a password is required
>
> It seems in the latter case, the first sudo’s successful auth didn’t get exte
> nded to the second sudo.
Without a terminal, older versions of sudo can't associate the first
successful auth with the second sudo when timestamp_type is set to
"tty" (or when the "tty_tickets" option is enabled), which is the
default. For sudo 1.8.22 and higher, sudo will use the parent
process ID to associate the timestamp record with related sudo
processes when no terminal is present.
Here's what I see with the latest version of sudo:
$ ssh -T localhost 'echo test123 | sudo -Sv && sudo echo 1'
Password: 1
What version of sudo are you running?
> The real issue I’m trying to solve is to allow rsync to use sudo without have
> to give it NOPASSWD:
>
> rsync --rsync-path 'echo pw | sudo -Sv && sudo rsync’ $host:/
I wouldn't recommend doing it that way, your password would be
visisble in the output of "ps" on both the client and server.
- todd
More information about the sudo-users
mailing list