1 |
On Thursday, 14 July 2022 17:30:28 CEST Grant Taylor wrote: |
2 |
> On 7/14/22 12:35 AM, J. Roeleveld wrote: |
3 |
> > Hi All, |
4 |
> |
5 |
> Hi, |
6 |
> |
7 |
> > I am looking for a way to login to a host and automatically change |
8 |
> > to root using a password provided by an external program. |
9 |
> |
10 |
> Please clarify if you want to /require/ a password? |
11 |
|
12 |
Yes. |
13 |
|
14 |
> I can think of some options that would authenticate, thus avoiding |
15 |
> sudo's NOPASSWD:, but not prompt for a password. I want to know if |
16 |
> those types of options are on the table or if they should be discarded. |
17 |
|
18 |
How would it not prompt for a password. I need something that will take the |
19 |
password from the vault (I can do this in Python and shell-scripting. Probably |
20 |
also in other scripts). Authenticating to the vault can be done on a session |
21 |
basis and shared. So locally, I'd only login once. |
22 |
|
23 |
> > The root passwords are stored in a vault and I can get passwords out |
24 |
> > using a script after authenticating. |
25 |
> |
26 |
> Okay. |
27 |
> |
28 |
> > Currently, I need to do a lot of the steps manually: |
29 |
> > ssh <user>@<host> |
30 |
> > su - |
31 |
> |
32 |
> You could alter that slightly to be: |
33 |
> |
34 |
> ssh <user>@<host> su - |
35 |
> |
36 |
> That would combine the steps into one. |
37 |
> |
38 |
> > (copy/paste password from vault) |
39 |
> |
40 |
> Are you actually copying & pasting the password? Or will you be using |
41 |
> something to retrieve the password from the vault and automatically |
42 |
> provide it to su? |
43 |
|
44 |
Currently, yes. I never physically see the password as it currently goes into |
45 |
the clipboard and gets wiped from there after a short time period. Enough time |
46 |
to paste it into the password-prompt. It's the copy/pasting that I am looking |
47 |
to automate into a single "login-to-remote-host" script. |
48 |
|
49 |
> I think that removing the human's need ~> ability to copy & paste would |
50 |
> close some security exposures. |
51 |
> |
52 |
> Aside: This remove the human's ability to copy ~> know the password |
53 |
> from the mix as a security measure can be a slippery slope and I |
54 |
> consider it to be questionable at best. -- Conversely, doing it on |
55 |
> behalf of the human with a password that they know simply as automation |
56 |
> is fine. |
57 |
> |
58 |
> > I would like to change this to: |
59 |
> > <some-script> <host> |
60 |
> |
61 |
> I think that's doable. I've done a lot of that. I'll take it one step |
62 |
> further and put "<some-script> <host>" in a for loop to do my bidding on |
63 |
> a number of systems. |
64 |
> |
65 |
> I think the "ssh <user>@<host> su -" method might be a bit cleaner from |
66 |
> a STDIN / TTY / FD perspective. |
67 |
> |
68 |
> > Does anyone have any hints on how to achieve this without adding a |
69 |
> > "NOPASSWD" entry into /etc/sudoers ? |
70 |
> |
71 |
> Flag on the play: You've now mixed privilege elevation mechanism. You |
72 |
> originally talked about "su" and now you're talking about "sudo". They |
73 |
> are distinctly different things. Though admittedly they can be used in |
74 |
> concert with each other. |
75 |
> |
76 |
> If you are using SSH keys /and/ sudo, then I'd recommend that you |
77 |
> investigate authenticating to sudo via (forwarded) SSH keys. This means |
78 |
> that your interactions with sudo are /always/ authenticated *and* done |
79 |
> so without requiring an interactive prompt. |
80 |
|
81 |
I prefer not to use SSH keys for this as they tend to exist for years in my |
82 |
experience. And one unnoticed leak can open up a lot of systems. |
83 |
This is why I use passwords. (passwords are long random strings that are |
84 |
changed regularly) |
85 |
|
86 |
> > Thanks in advance, |
87 |
> |
88 |
> There's more than a little bit here. There are a number of ways that |
89 |
> this could go. |