[sudo-users] Make sudo -S work with ssh -T

Glen Huang heyhgl at gmail.com
Thu Jun 23 19:51:52 MDT 2022 

Thanks for the quickly reply, Todd.

> On Jun 23, 2022, at 9:49 PM, Todd C. Miller <Todd.Miller at sudo.ws> wrote:
> 
> What version of sudo are you running?

I’m using sudo that comes with Debian bullseye, sudo -V says 

Sudo version 1.9.5p2
Sudoers policy plugin version 1.9.5p2
Sudoers file grammar version 48
Sudoers I/O plugin version 1.9.5p2
Sudoers audit plugin version 1.9.5p2

(I know I probably shouldn’t continue to pursue this way of providing the password, but please indulge my curiosity.)

I missed the part about switching to ppid when tty isn’t available, thank you for letting me know.

This is my sudoers:

Defaults	env_reset
Defaults	mail_badpass
Defaults	secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

# User privilege specification
root	ALL=(ALL:ALL) ALL
# Allow members of group sudo to execute any command
%sudo	ALL=(ALL:ALL) ALL

@includedir /etc/sudoers.d

Where /etc/sudoers.d is empty (contains only a README that comprises mere comments)

> Here's what I see with the latest version of sudo:

It’s pretty strange my remote machine prompted for password, I tried this

ssh -T $host ‘echo $SHELL’

And it said /bin/bash. So the two sudo invocations should live inside the same shell. Could my ssh config is somehow at fault here? But it’s a pretty simple one:

Include /etc/ssh/sshd_config.d/*.conf

# Only allow publickey logging in from users
PermitRootLogin no
PasswordAuthentication no
ChallengeResponseAuthentication no

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Where /etc/ssh/sshd_config.d is also empty.

> I wouldn't recommend doing it that way

Could you recommend a secure way to provide the password when using sudo with rsync in an unattended way? I read it somewhere that giving rsync NOPASSWD means giving NOPASSWD to the ability to setuid root on any file, which I’m not comfortable with.

I’m aware of askpass, but that approach seem to require me to upload the password into a local file, if doing it in a direct way, and delete that file once the script finishes, which seems brittle (e.g., the script fails/forgets to delete).

Regards,
Glen

More information about the sudo-users mailing list