1 |
On 7/14/22 12:35 AM, J. Roeleveld wrote: |
2 |
> Hi All, |
3 |
|
4 |
Hi, |
5 |
|
6 |
> I am looking for a way to login to a host and automatically change |
7 |
> to root using a password provided by an external program. |
8 |
|
9 |
Please clarify if you want to /require/ a password? |
10 |
|
11 |
I can think of some options that would authenticate, thus avoiding |
12 |
sudo's NOPASSWD:, but not prompt for a password. I want to know if |
13 |
those types of options are on the table or if they should be discarded. |
14 |
|
15 |
> The root passwords are stored in a vault and I can get passwords out |
16 |
> using a script after authenticating. |
17 |
|
18 |
Okay. |
19 |
|
20 |
> Currently, I need to do a lot of the steps manually: |
21 |
> ssh <user>@<host> |
22 |
> su - |
23 |
|
24 |
You could alter that slightly to be: |
25 |
|
26 |
ssh <user>@<host> su - |
27 |
|
28 |
That would combine the steps into one. |
29 |
|
30 |
> (copy/paste password from vault) |
31 |
|
32 |
Are you actually copying & pasting the password? Or will you be using |
33 |
something to retrieve the password from the vault and automatically |
34 |
provide it to su? |
35 |
|
36 |
I think that removing the human's need ~> ability to copy & paste would |
37 |
close some security exposures. |
38 |
|
39 |
Aside: This remove the human's ability to copy ~> know the password |
40 |
from the mix as a security measure can be a slippery slope and I |
41 |
consider it to be questionable at best. -- Conversely, doing it on |
42 |
behalf of the human with a password that they know simply as automation |
43 |
is fine. |
44 |
|
45 |
> I would like to change this to: |
46 |
> <some-script> <host> |
47 |
|
48 |
I think that's doable. I've done a lot of that. I'll take it one step |
49 |
further and put "<some-script> <host>" in a for loop to do my bidding on |
50 |
a number of systems. |
51 |
|
52 |
I think the "ssh <user>@<host> su -" method might be a bit cleaner from |
53 |
a STDIN / TTY / FD perspective. |
54 |
|
55 |
> Does anyone have any hints on how to achieve this without adding a |
56 |
> "NOPASSWD" entry into /etc/sudoers ? |
57 |
|
58 |
Flag on the play: You've now mixed privilege elevation mechanism. You |
59 |
originally talked about "su" and now you're talking about "sudo". They |
60 |
are distinctly different things. Though admittedly they can be used in |
61 |
concert with each other. |
62 |
|
63 |
If you are using SSH keys /and/ sudo, then I'd recommend that you |
64 |
investigate authenticating to sudo via (forwarded) SSH keys. This means |
65 |
that your interactions with sudo are /always/ authenticated *and* done |
66 |
so without requiring an interactive prompt. |
67 |
|
68 |
> Thanks in advance, |
69 |
|
70 |
There's more than a little bit here. There are a number of ways that |
71 |
this could go. |
72 |
|
73 |
|
74 |
|
75 |
-- |
76 |
Grant. . . . |
77 |
unix || die |