Remote Sudo Script

Home » CentOS » Remote Sudo Script
CentOS 7 Comments

Hey guys,

I’m trying to write a simple bash script that will cp a configuration file to a backup (with the date) remotely to a bunch of machines, using sudo with ssh.

I notice that if I run the commands individually, they both work (albeit with some strange output I’d like to suppress):

[tdunphy@MIAGRBISSH01V ~]$ SSH -q -t -t -t MIAGRBIORCA00V sudo -S ‘cp -v
/data/solr-4.3.1/zoe/etc/logback.xml /tmp/logback.xml-${i}-$(date
+%Y%m%d).bak’ <Inappropriate ioctl for device
`/data/solr-4.3.1/zoe/etc/logback.xml’ -> `/tmp/logback.xml–20131007.bak’

[tdunphy@MIAGRBISSH01V ~]$ SSH -q -t -t -t MIAGRBIORCA00V sudo -S ‘ls -l
/home/tdunphy/logback.xml-${i}-$(date +%Y%m%d).bak’ < `/tmp/logback.xml–20131007.bak’
tcgetattr: Inappropriate ioctl for device
-rw-r–r– 1 root root 3372 Oct 7 22:07
/home/tdunphy/logback.xml–20131007.bak tcgetattr: Inappropriate ioctl for device
[sudo] password for tdunphy:

For some reason the <

7 thoughts on - Remote Sudo Script

  • 2 things I’d consider (and yes, before someone starts that ‘that’s not nearly secure enough!’ debate, 1 isn’t great security, but every place has different levels of acceptable, so it might pass for some while it’d never fly for others)
    1. change your ID/to an ID that doesn’t have to supply a password to sudo commands e.g. has the NOPASSWD option set in sudoers file.
    2. change up to expect. it’s a little wonky and different from other scripting languages, but it’s really made for this sort of thing.

  • I would recommend that you just give the user NOPASSWD access to the specific command(s) that you need for your remote script, rather than giving that user global NOPASSWD access.

    See sudoers(5) for details.

    Peter

  • use SSH keys rather than password authentication…. see: man ssh-keygen

    short version, on local system, run ssh-keygen to create a public and private key for the local account, and append the public key
    ~/.ssh/id_dsa.pub on the local system to the ~/.ssh/authorized_keys2
    file on the remote system. once you’ve done this, ssh/scp/sftp will connect without prompting for a password.

  • hey thanks. Already using keys. It’s sudo that’s the blocker. Also I would use NOPASSWD on my sudo options, but there’s some bureaucratic red-tape involved there. Can’t really go about enabling that myself without ruffling some feathers. Otherwise thanks for the suggestions and keep ’em coming!

  • The cp did work, sudo accepted the password. Note that ${i} was not interpolated into the file name.

    the ls did work

    But what’s that?
    Is the password the same on all hosts, i.e. it works for one host, but not the other?
    Or do you have another SSH in the for loop you did not tell us about?

    Try do add some debugging output with the hostname into the loop.

  • hey there,

    Thanks for playing!

    Yes good point about ${i} not being interpolated. However this example is from when the command is individually executed and not as part of the script. When you pop that line into my script for some reason the password is not passed to sudo. Just something I find odd, because the syntax hasn’t changed at all so why would it not work in the script?

    Yes. Again, this happened when the command was executed individually, but NOT as part of the script.

    No, the password is the same across all of the hosts in the environment. And the output that you see here is the exact same as what I was trying to run.

    I added a little more debugging to the output, but otherwise the script is unchanged. As soon as you try to pass the password to sudo via the script, the password is not recognized.

    Here’s the most recent run of the script:

    [tdunphy@MIAGRBISSH01V ~]$ for i in MIAGRBIORCA0{1..9}V MIAGRBIORCA1{0..2}V
    /home/tdunphy/logback.xml-${i}-$(date +%Y%m%d).bak’ <

LEAVE A COMMENT