Bash script connect to remote servers and become root

misterx12345 · May 17, 2013, 11:43am

Hi,

I need a script that will connect to a list of servers and first sudo to root and then run a couple of commands.
For security reasons, we can't setup ssh keys as root.
Manually I have to login to a server as user and then sudo to root.
It's not possible to use root@servername , because of security restrictions.

This is what I got so far, but the problem is that it's not sudo ing to root:

#!/bin/bash
HOSTS=$(cat filename)
SCRIPT2="sudo su -"
SCRIPT=" command ; command ; command"

for HOSTNAME in ${HOSTS} ; do
    ssh  ${HOSTNAME} "${SCRIPT2}" "${SCRIPT}"
done

DGPickett · May 17, 2013, 3:59pm

I recall sudo might want a terminal, so ssh -t or ssh -tt. Of course, ssh in on a utility id that has sudo privileges. Usually sudo means you do not need su. If you sudo bash you can send any number of commands, so you do not need to maintain remote scripts.

misterx12345 · May 18, 2013, 5:32am

sudo isn't possible

MadeInGermany · May 18, 2013, 3:16pm

sudo works without terminal if there is NOPASSWD: in sudoers. Please check which command(s)!
But it is either

sudo command; sudo command

or

sudo su - -c 'command; command'

where the optional - reads root's profile.

misterx12345 · May 22, 2013, 2:52am

madeingermany:

sudo works without terminal if there is NOPASSWD: in sudoers. Please check which command(s)!
But it is either
sudo command; sudo command
or
sudo su - -c 'command; command'
where the optional - reads root's profile.

sudo su - is not allowed
I understand that we can avoid these things, by setting up ssh keys or the sudoers file, but these options are not allowed

basiclly I want to do these steps, but in a script:
login to the Unix server as my own userid
ssh to remote server
sudo to root
execute a couple of commands
exit

On google I couldn't find something similar,
but I assume I am not the first person who came across this?

we have have environments where we can login to a main server as root ,
execute scripts on remote servers as root, because SSH keys have been configured, but not for this environment

MadeInGermany · May 23, 2013, 3:27am

You can use an expect script for interactive prompt handling.

man expect

This is probably the least secure method, because the passwords are stored in your script. At least read-protect it for others!

DGPickett · May 23, 2013, 4:03pm

Yes, ssh is more secure with PPKey not password, as well as allowing simpler scripting. Once in as not root user with a controlling terminal (-tt), accessing root with any interactive commands is fine, but once again, you may need expect or something like it to send the root password, or sudo so you do not need to use and expose that password.

You could write your own set-uid root compiled program to let just your trusted id or group run just scripts in a special directory.

Corona688 · May 23, 2013, 4:38pm

If automatic remote execution of root is against policy then it's against policy... When the proper and secure ways are verboten, one must wonder whether insecure ways are 'allowed' or just hadn't been considered yet.

DGPickett · May 24, 2013, 2:55pm

Which is to say, how did the policy makers intend admins to so this sort of thing.

Can you achieve what your want starting with something like cron for root on each host, not with a login? Almost anything you can achieve serially from a remote you can do in parallel to a remote. A cron script can pick up a task script from a remote location (PPK trusted scp to non-root user) and run it.