Hi all,
I have a script like this, where i am trying to login into oracle db via ssh and do a account unlock.
#!/bin/sh
ip=$1
os_user=$2
key=$3
ou_user=$4
ou_pass=$5
unlock_user=$6
ssh -i $key $os_user@$ip
sudo -u $ou_user -p $ou_pass -- i am getting error here...its not taking sudo password
. PRD
"sqlplus / as sysdba<<EOF
ALTER USER $unlock_user ACCOUNT UNLOCK;
EOF
"
any suggestion please.
Have you looked into sshpass ?
Hi Neo,
Thanks for reply, ssh is not an issue here as we are .using pem key as authentication for ssh login which is working fine till that point no issue , script logging into ssh successfully(i broke my code for debug purpose so...ssh login is working fine)
only issue is in sudo command..how to mention password along with sudo user name.
I read some google article that, sudo wont take password as parameter
-p is not interactive password input option for sudo command.
There is no such feature or switch.
Please correct the steps for better understanding, you are :
If i'm not mistaken, a SYSTEM user should have required privilege to UNLOCK account, and you should be able to connect to database in standard way (sqlplus, toad etc.) and SYSTEM user ?
Why do you require ssh and sudo to do this operation ?
Why not use a DBA_DIRECTORIES or EXTERNAL TABLE in which a sshed user will write a simple text file and oracle will process via internal scheduler and/or procedure.
Use the database software you are paying gold for, you are over complicating it 
Hope that helps
Regards
Peasant.
Hi Peasant,
Thanks for your reply.
Oh my bad.. yeah, mentioned steps are correct which i m trying to acheive..
sorry..my bad...
sudo -u $ou_user -p $ou_pass
should be
su -u $ou_user -p $ou_pass
Yes below is correct which I trying to achieve
Please correct the steps for better understanding, you are :
1. sshing to box hosting Oracle database as some generic user.
2. You wish to change the user to oracle user (the user under which the database is ran).
3. Source a file, after which you issue unlock of oracle database account
the . PRD is environment file which export variables
[oracle@prddb . PRD
[oracle@prddb cat PRD
ORACLE SID=PRD
ORACLE BASE=" /dbusr/app/oracle/product"
ORACLE HOME=" /dbusr/app/orac1e/product/12102"
LD_LIBRARY_PATH="$ORACLE_HOME/lib"
TNS_ADMIN="$ORACLE_HOME/network/admin"
LIBPATH="$ORACLE_HOME/lib"
ORA NLS="/dbusr/app/orac1e/product/12102/ocommon/n1s/admin/data"
ORA NLS33=" /dbusr/app/orac1e/product/12102/ocommon/n1s/admin/data"
export ORACLE_BASE ORACLE_HOME
export PATH LD_LIBRARY_PATH LIBPATH
export TNS_ADMIN
export ORACLE_SID
I can login via sysdba to unlock the account after switching to oracle user
Presumably the sudo rule that matches your request is prompting for a password. It could be set up to not ask for a password, but that needs to be done carefully to avoid exposing you to risk.
Do you know which rule is being used to grant your access (with the password) to do what you want?
Robin
Hi Robin,
its not sudo , its just su - $ou_user (this is oracle user)
What i am trying to do is once i login to box with generic user then i am trying to switch to ou_user (which is oracle) which mandatorily having password(which i know)
Only issue is I am not able to use password(for oracle user) within script
I'm sorry, I read the first post and assumed.
I'm a little confused about the -p flag for su though. From my manual page, I see this:
I think you are wanting to code in the password so you don't have to key it in. If that is the case, use a sudo rule to perform the operation you want to do and write it to not require a password.
Tools such as su, ssh etc. are written to prevent command line or scripted use (although you can su if you are already root)
A rule such as:-
%your-group ALL = (oracle) NOPASSWD: ALL
.... should let people in the specified group do anything as the oracle account without a password check. You would use it thus:-
sudo -u $ou_user some_command_here
BEWARE!
This may expose you to risk! Do you really want to grant so much? Maybe you you allow less than everything when running as oracle
I hope that this helps,
Robin
hi robin,
sorry for delayed reply... specifying oracle username is mandatory, as i cant login to that remote box directly with oracle user(some network restrictions prevent that). Only i can login into initial user and then I need to switch the user..However did not get breakthrough as password is not allowed to be specified for su command..
Please forgive if Im totally wrong, a bit shaken after having an accident with my motorbike... but we were many bikes to fall as a lorry spilled fuel and the road...
ssh -i $key $os_user@$ip
sudo -u $ou_user -p $ou_pass -- i am getting error here...its not taking sudo password
. PRD
"sqlplus / as sysdba<<EOF
ALTER USER $unlock_user ACCOUNT UNLOCK;
EOF
"
I am not sure what is going on here, it seemed to me that after ssh, you are on a another connection with a new shell, no?
So su or sudo wont work as such IMHO
Sorry bad headhache, leaving...
Hi,
Hope you are ok ?
Yes , after ssh i will be on another remote box, where i need to switch to oracle user by using su ...
How ever i got some google information and previous reply from robin sudo su wont ask for password where just su shall ask ( I need to to give a try this a work around)
Just took some pain killers, apart scratches and bruises headache and bad back all is OK...
What I ment was the line after ssh ( su etc... ) would be executed once you left that new shell... So you would have to use a heredoc here too...
But again, since I have not all my head I was hoping someone would pick up from here and confirm and if so help you through
Sory for being confused, but in what way does my suggestion not meet your need. If I can understand it, then I may be able to help.
I think that:-
is that correct? If so, does having the suggested sudo rule (adjusted to consider my warning) help at all? One of us is missing something - and I'm happy to accept it is me, but I don't understand what it is yet. Can you explain a little more?
Perhaps a scraping of your screen as you run through would help me see it.
Thanks, in advance,
Robin
Hi Robin,
Thanks for your kind reply.. apologies for delay.
Yes, below understanding is correct
[]You are using ssh to connect to the server as yourself
[]You want to then use sudo to run a command as the user oracle
However mentioning just sudo oracle is not working..I think i am missing some settings in sudo file, I am not sure which i am missing.. Like you suggested I have added oracle to wheel group visudo file..but not working
OR
it should allow me to just su oracle and accept password ( i think this not viable option as per lot of google information)
suggest me
You don't add oracle to the wheel group. You need to allow your account to execute as oracle. Say your account is bob, then the entry in /etc/sudoers (or perhaps under /etc/sudoers.d/* could be something like:-
bob ALL=(oracle) NOPASSWD: /path/to/you/script
..... and on the command line as bob you should be able to run:-
sudo -u oracle /path/to/your/script
Does that help?
Robin
Just thinking about this in the wider question, you might (on you local machine) have to do this:-
ssh bob@server "sudo -u oracle /path/to/your/script"
.... or perhaps:-
ssh -t bob@server "sudo -u oracle /path/to/your/script"
.... or even:-
ssh -tt bob@server "sudo -u oracle /path/to/your/script"
This would open the SSH connection, sudo run the script and exit back to your local machine. The additional of one or two -t might be needed to make it set up a terminal connection else sudo might refuse to run.
Robin
First of all, thanks for your patience in answering 
apologies for delayed reply, i was sleeping
Superb !..Thanks for great help, I have tested it from local machine to one of the remote ,it running fine :)..
But on another remote its not working..just out of curiosity, asking the below question
...is that possible for an admin to restrict a remote user to login without su password authentication (even though I have followed your solution suggestion)...if there is method, then I think I am gonna tell him , if you restrict me I wont work