pantz.org banner
Using SSH and sudo instead of root for remote commands
Posted on 11-18-2010 02:56:05 UTC | Updated on 11-23-2010 01:33:33 UTC
Section: /software/ssh/ | Permanent Link

Anyone who has to administer a lot of *NIX servers has been in the position of needing to execute remote commands on those servers as root. Usually it is done to change a file or run a command. The easy way to do this is to run your command with ssh as the root user but, we all know how bad it is to leave "PermitRootLogin yes" in our sshd_config files. On many systems this is the default setting. But allowing root a remote login through SSH is a security issue so we turn it off. This begs the question what are you to do when you need to execute commands remotely on systems as root but root logins are disabled? It's easier than you think.

Usually when you need to execute these commands it is for a group of servers. To start put your SSH key on all the machines you need to execute your commands on and don't put a password on your key when setting it up. If want to know how to do this look here. After setting those up on your machines you should be able to login to each one without needing a password.

Next, setup sudo so your user can execute commands with root privileges. If you need to know how to do this look here. Here's the short version. As root type "visudo" and put in "yourusername ALL=(ALL) ALL". If your using Ubuntu then this is likely already done for you.

Now with your SSH keys setup and your sudo privs set we are ready. Before you type this command there is a WARNING. This command makes you type your password in cleartext for anyone to see. DON'T type this command in your terminal program because it will stay in your history. DON'T type it on screen because it will stay in your terminals scroll back buffer. The safest way to use this is to make a script, chmod 700 the file, and execute that file. Better yet only type the password in the file right before you need to execute it. Then remove the password from the file when your done. This is still not a super secure way to do this but if remote root is turned off you might not have a choice.

From the machine your going to use to login to your other machines execute the command below. Where it says "hostname" put in the hostname of the machine your trying to get into. Where it says "password" put your password. Where it says "command" put the command your trying to execute like "df -h". As with any command on the command line if there are any special characters you will need to escape them with \ in the bash shell at least. I'll put in an examples with comments below the first line.

# original command
ssh hostname "echo password | sudo -S command"

# execute command "df -h" with escaped password character !
ssh host.pantz.org "echo PaSSworD\! | sudo -S df -h"

Using SSH and sudo this way works best when the above line is part of a script. This gives you the ability to automate executing the same command across many machines at one time.

Here is a little shell script you might use with the above command. The /home/user/hosts file the script refers to is just a text file with a single host name on each line. It will execute whatever command you give it from the command line for each host in the hosts file. So if you called your script go.sh then you could execute the command "df -h" by typing "./go.sh df -h".

#!/bin/bash

for HOST in $(< /home/user/hosts); do
  echo ""
  echo "###############"
  echo "# HOSTNAME: $HOST"
  echo "###############"
  # This line is for back grounding each command to execute them on all systems at once
  # ssh -q -o ConnectTimeout=3 $HOST "echo password | sudo -S $* >/dev/null 2>&1 &"
 
  ssh -q -o ConnectTimeout=3 $HOST "echo password | sudo -S $*"

  if [ $? -ne 0 ]; then
    echo "---- COULD NOT CONNECT TO $HOST ----"
  fi
done

Good luck and be careful with this command. Please don't use it from the command line. On some distributions your sudo commands are logged to /var/log/secure but the echo statement with the password does not show up so no worries about that.

Del.icio.us! | Digg Me! | Reddit!

Related stories


RSS Feed RSS feed logo
About


3com
3ware
alsa
alsactl
alsamixer
amd
android
apache
areca
arm
ati
auditd
awk
badblocks
bash
bind
bios
bonnie
cable
carp
cat5
cdrom
cellphone
centos
chart
cifs
cisco
cloudera
comcast
commands
comodo
compiz-fusion
corsair
cpufreq
cpufrequtils
cpuspeed
cron
crontab
crossover
cu
cups
cvs
database
dbus
dd
dd_rescue
ddclient
debian
decimal
dhclient
dhcp
diagnostic
diskexplorer
disks
dns
dos
dovecot
drac
dsniff
dvdauthor
e-mail
echo
editor
emerald
ethernet
expect
ext3
ext4
fat32
fedora
fetchmail
fiber
filesystems
firefox
firewall
flac
flexlm
floppy
flowtools
fonts
format
freebsd
ftp
gdm
gnome
greasemonkey
greylisting
growisofs
grub
hacking
hadoop
harddrive
hba
hex
hfsc
html
html5
http
idl
ie
ilo
intel
ios
iperf
ipmi
iptables
ipv6
irix
javascript
kde
kernel
kickstart
kmail
kprinter
krecord
kubuntu
kvm
lame
ldap
linux
logfile
lp
lpq
lpr
maradns
matlab
memory
mencoder
mhdd
mkinitrd
mkisofs
moinmoin
motherboard
mouse
movemail
mplayer
multitail
mutt
myodbc
mysql
mythtv
nagios
nameserver
netflow
nginx
nic
ntfs
ntp
nvidia
odbc
openbsd
openntpd
openoffice
openssh
openssl
opteron
parted
partimage
patch
perl
pf
pfflowd
pfsync
photorec
php
pop3
pop3s
ports
postfix
power
procmail
proftpd
proxy
pulseaudio
putty
pxe
python
qemu
r-studio
raid
recovery
redhat
router
rpc
rsync
samba
schedule
scsi
seagate
seatools
sed
sendmail
sgi
shell
siw
smtp
snort
solaris
soundcard
sox
spam
spamd
sql
sqlite
squid
ssh
ssh.com
ssl
su
subnet
subversion
sudo
sun
supermicro
switches
symbols
syslinux
syslog
systemrescuecd
t1
tcpip
tcpwrappers
telnet
terminal
testdisk
tftp
thttpd
thunderbird
timezone
ting
tools
tr
trac
tuning
tunnel
ubuntu
vi
wget
wiki
windows
windowsxp
wireless
wpa_supplicant
x
xauth
xfree86
xfs
xinearama
xmms
youtube
zdump
zic
zlib