How to remote execute ssh command a sudo command without password

I have a linux (debian based) server which is configured to allow SSH session to the user ‘admin’, but not the user ‘root’. Both these accounts are linked somehow because they share the same password.

During an SSH session as admin, ‘sudo’ is required to run commands, unless I switch to the user ‘root’.

I have some services on which I need to run now and then, or even at system startup. I’m currently using private/public key mechanism to remote execute commands on the server. Some of the commands are manually typed, others are shell scripts that I execute.
Currently the server still asks for password when a command has uses sudo.

Question:
How can remote execute as user ‘admin’ without supplying the password?
Is it possible to use a private/public key to satisfy sudo?
Or perhaps even a way to start shell scripts as the user ‘root’?

Is it even possible to avoid having to type the password using sudo? If not, are they other alternatives for situation like mine?

Answers:

Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.

Method 1

you can tell sudo to skip password for some command.

e.g. in /etc/sudoers

archemar  ALL = (www-data) NOPASSWD: /bin/rm -rf /var/www/log/upload.*

this allow me to use
sudo -u www-data /bin/rm -rf /var/www/log/upload.*

as archemar without password.

Note that

sudo -u www-data rm -rf /var/www/log/upload.*

won’t work (will ask a password) as rm differ from /bin/rm. (*)

Be sure to edit /etc/sudoers using visudo command.

Once you’ve reach advanced level, you might whish to have your own sudo files in /etc/sudoers.d.


(*) this change in modern OS (redhat 7.x circa 2022) if rm in your path match /bin/rm in sudoers.conf you might use rm.

Method 2

The most simple way is to provide password from stdin if your sudo supports that (-S key)

ssh -t <a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="056461686c6b457760686a71606d6a7671">[email protected]</a> "echo <yourpassword> |sudo -S <yourcommand>"

Method 3

If the accounts are linked somehow it makes no sense to allow ssh for one and not the other. Here is what I would do instead:

  • enable ssh for root, allowing only access with ssh keys and not with a password
  • create a new key that will be used only for your specific command
  • put the key and the command you need to execute in authorized_keys of root, so that as soon as a connection is made with this key, the command is launched.

This is secure because in that way the caller can not have a shell nor execute any other command (even if he provides one).

You can see an example here: https://stackoverflow.com/questions/402615/how-to-restrict-ssh-users-to-a-predefined-set-of-commands-after-login with the command= syntax. You can also do the same thing by embedding the command in the certificate if you use certificates instead of keys, or do it globally using the configuration option ForceCommand

See http://larstobi.blogspot.com/2011/01/restrict-ssh-access-to-one-command-but.html for another example (which illustrates that you need to take into account parameters of your command)

Method 4

To add to Archemar’s answer, sudo asks for the password of the user running sudo, not the user the command will be run as. You say that the ‘admin’ and ‘root’ accounts are ‘linked’ and share the same password. If you have come to this conclusion based on sudo accepting the password for the ‘admin’ account (and the password sudo accepts changing when the password for ‘admin’ is changed), this is normal behaviour for sudo.

Method 5

If you are using a MacBook with TouchID, you can configure SSH sudo with Mac TouchID (fingerprint, 2FA)

https://medium.com/@prbinu/touch2sudo-enable-remote-sudo-two-factor-authentication-using-mac-touch-id-df638b7da594

Code: https://github.com/prbinu/touch2sudo

Method 6

Worked for me, using sshpass:

#!/bin/bash
PASS="Password"
COMMAND="/tmp/test.sh"
USER="USER"
HOST="1.2.3.4"
sshpass -p $PASS ssh -t <a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="2b0f7e786e796b">[email protected]</a>$HOST "echo "$PASS" |sudo -S $COMMAND"


All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments