| 1 |
On Thursday, 14 July 2022 17:30:28 CEST Grant Taylor wrote: |
| 2 |
> On 7/14/22 12:35 AM, J. Roeleveld wrote: |
| 3 |
> > Hi All, |
| 4 |
> |
| 5 |
> Hi, |
| 6 |
> |
| 7 |
> > I am looking for a way to login to a host and automatically change |
| 8 |
> > to root using a password provided by an external program. |
| 9 |
> |
| 10 |
> Please clarify if you want to /require/ a password? |
| 11 |
|
| 12 |
Yes. |
| 13 |
|
| 14 |
> I can think of some options that would authenticate, thus avoiding |
| 15 |
> sudo's NOPASSWD:, but not prompt for a password. I want to know if |
| 16 |
> those types of options are on the table or if they should be discarded. |
| 17 |
|
| 18 |
How would it not prompt for a password. I need something that will take the |
| 19 |
password from the vault (I can do this in Python and shell-scripting. Probably |
| 20 |
also in other scripts). Authenticating to the vault can be done on a session |
| 21 |
basis and shared. So locally, I'd only login once. |
| 22 |
|
| 23 |
> > The root passwords are stored in a vault and I can get passwords out |
| 24 |
> > using a script after authenticating. |
| 25 |
> |
| 26 |
> Okay. |
| 27 |
> |
| 28 |
> > Currently, I need to do a lot of the steps manually: |
| 29 |
> > ssh <user>@<host> |
| 30 |
> > su - |
| 31 |
> |
| 32 |
> You could alter that slightly to be: |
| 33 |
> |
| 34 |
> ssh <user>@<host> su - |
| 35 |
> |
| 36 |
> That would combine the steps into one. |
| 37 |
> |
| 38 |
> > (copy/paste password from vault) |
| 39 |
> |
| 40 |
> Are you actually copying & pasting the password? Or will you be using |
| 41 |
> something to retrieve the password from the vault and automatically |
| 42 |
> provide it to su? |
| 43 |
|
| 44 |
Currently, yes. I never physically see the password as it currently goes into |
| 45 |
the clipboard and gets wiped from there after a short time period. Enough time |
| 46 |
to paste it into the password-prompt. It's the copy/pasting that I am looking |
| 47 |
to automate into a single "login-to-remote-host" script. |
| 48 |
|
| 49 |
> I think that removing the human's need ~> ability to copy & paste would |
| 50 |
> close some security exposures. |
| 51 |
> |
| 52 |
> Aside: This remove the human's ability to copy ~> know the password |
| 53 |
> from the mix as a security measure can be a slippery slope and I |
| 54 |
> consider it to be questionable at best. -- Conversely, doing it on |
| 55 |
> behalf of the human with a password that they know simply as automation |
| 56 |
> is fine. |
| 57 |
> |
| 58 |
> > I would like to change this to: |
| 59 |
> > <some-script> <host> |
| 60 |
> |
| 61 |
> I think that's doable. I've done a lot of that. I'll take it one step |
| 62 |
> further and put "<some-script> <host>" in a for loop to do my bidding on |
| 63 |
> a number of systems. |
| 64 |
> |
| 65 |
> I think the "ssh <user>@<host> su -" method might be a bit cleaner from |
| 66 |
> a STDIN / TTY / FD perspective. |
| 67 |
> |
| 68 |
> > Does anyone have any hints on how to achieve this without adding a |
| 69 |
> > "NOPASSWD" entry into /etc/sudoers ? |
| 70 |
> |
| 71 |
> Flag on the play: You've now mixed privilege elevation mechanism. You |
| 72 |
> originally talked about "su" and now you're talking about "sudo". They |
| 73 |
> are distinctly different things. Though admittedly they can be used in |
| 74 |
> concert with each other. |
| 75 |
> |
| 76 |
> If you are using SSH keys /and/ sudo, then I'd recommend that you |
| 77 |
> investigate authenticating to sudo via (forwarded) SSH keys. This means |
| 78 |
> that your interactions with sudo are /always/ authenticated *and* done |
| 79 |
> so without requiring an interactive prompt. |
| 80 |
|
| 81 |
I prefer not to use SSH keys for this as they tend to exist for years in my |
| 82 |
experience. And one unnoticed leak can open up a lot of systems. |
| 83 |
This is why I use passwords. (passwords are long random strings that are |
| 84 |
changed regularly) |
| 85 |
|
| 86 |
> > Thanks in advance, |
| 87 |
> |
| 88 |
> There's more than a little bit here. There are a number of ways that |
| 89 |
> this could go. |
Archives