| 1 |
On 7/14/22 12:35 AM, J. Roeleveld wrote: |
| 2 |
> Hi All, |
| 3 |
|
| 4 |
Hi, |
| 5 |
|
| 6 |
> I am looking for a way to login to a host and automatically change |
| 7 |
> to root using a password provided by an external program. |
| 8 |
|
| 9 |
Please clarify if you want to /require/ a password? |
| 10 |
|
| 11 |
I can think of some options that would authenticate, thus avoiding |
| 12 |
sudo's NOPASSWD:, but not prompt for a password. I want to know if |
| 13 |
those types of options are on the table or if they should be discarded. |
| 14 |
|
| 15 |
> The root passwords are stored in a vault and I can get passwords out |
| 16 |
> using a script after authenticating. |
| 17 |
|
| 18 |
Okay. |
| 19 |
|
| 20 |
> Currently, I need to do a lot of the steps manually: |
| 21 |
> ssh <user>@<host> |
| 22 |
> su - |
| 23 |
|
| 24 |
You could alter that slightly to be: |
| 25 |
|
| 26 |
ssh <user>@<host> su - |
| 27 |
|
| 28 |
That would combine the steps into one. |
| 29 |
|
| 30 |
> (copy/paste password from vault) |
| 31 |
|
| 32 |
Are you actually copying & pasting the password? Or will you be using |
| 33 |
something to retrieve the password from the vault and automatically |
| 34 |
provide it to su? |
| 35 |
|
| 36 |
I think that removing the human's need ~> ability to copy & paste would |
| 37 |
close some security exposures. |
| 38 |
|
| 39 |
Aside: This remove the human's ability to copy ~> know the password |
| 40 |
from the mix as a security measure can be a slippery slope and I |
| 41 |
consider it to be questionable at best. -- Conversely, doing it on |
| 42 |
behalf of the human with a password that they know simply as automation |
| 43 |
is fine. |
| 44 |
|
| 45 |
> I would like to change this to: |
| 46 |
> <some-script> <host> |
| 47 |
|
| 48 |
I think that's doable. I've done a lot of that. I'll take it one step |
| 49 |
further and put "<some-script> <host>" in a for loop to do my bidding on |
| 50 |
a number of systems. |
| 51 |
|
| 52 |
I think the "ssh <user>@<host> su -" method might be a bit cleaner from |
| 53 |
a STDIN / TTY / FD perspective. |
| 54 |
|
| 55 |
> Does anyone have any hints on how to achieve this without adding a |
| 56 |
> "NOPASSWD" entry into /etc/sudoers ? |
| 57 |
|
| 58 |
Flag on the play: You've now mixed privilege elevation mechanism. You |
| 59 |
originally talked about "su" and now you're talking about "sudo". They |
| 60 |
are distinctly different things. Though admittedly they can be used in |
| 61 |
concert with each other. |
| 62 |
|
| 63 |
If you are using SSH keys /and/ sudo, then I'd recommend that you |
| 64 |
investigate authenticating to sudo via (forwarded) SSH keys. This means |
| 65 |
that your interactions with sudo are /always/ authenticated *and* done |
| 66 |
so without requiring an interactive prompt. |
| 67 |
|
| 68 |
> Thanks in advance, |
| 69 |
|
| 70 |
There's more than a little bit here. There are a number of ways that |
| 71 |
this could go. |
| 72 |
|
| 73 |
|
| 74 |
|
| 75 |
-- |
| 76 |
Grant. . . . |
| 77 |
unix || die |
Archives