I'm trying to come up with a way for me to automate some processes. I have to do this via ssh. What I'm trying to do is have "box A" connect to "box B" as "user A" and execute a command as "user B" (sudoer). It needs to be done this way because of auditing and security policy. This is on Solaris 8
Here's how I have it setup now:
Box A has connectivity to box B
User A has logins on both box A and box B
User A connects to box B from box A and sudo's to user B
So, I connect to box A and type:
ssh -t boxB "sudo su - userB /opt/rah/rah/rah/command.sh" >> /some/log/dir
It either doesn't change the user or it asks for a password. The script keeps a log in a directory owned by userB and, if it doesn't change the user, it says "cannot create, permission denied". Otherwise it sits there asking for a password. I've tried putting the full command in sudoers and that doesn't work. Anyone have ideas? Btw, this will eventually be put under Autosys control.
Suggest you set the log to go to a directory either user A OR user B can write to (just to get around that issue of permissions). Also, run a ssh as user A from box A to box B that doesn't run sudo to user B, just to make sure the password it's asking for isn't for the actual ssh versus the change of ID.
Try giving the full path to your su command:
change "sudo su - userB /opt/rah/rah/rah/command.sh"
to "sudo /usr/bin/su - userB /opt/rah/rah/rah/command.sh"
Unfortunately the command is to start a weblogic process and, if it's started by the autosys id, it won't work correctly. The logs also have to have weblogic:bea permissions so that the weblogic group can read them.
I've also setup a ssh-key from box a to box b so that no password is needed for autosys to connect..works fine.
Sorry for not clarifying all of this earlier.
I will try the full path to su and see if that works.
Oh man. I really wish I'd tried this when I thought of it. Instead of running a specific command via ssh you're just running a script which does all the work. I gotcha.