8

I'm writing a script which is to log onto a bunch of remote machines and run a command on them. I've set up keys so the user running the script does not have to type the password of each machine, but only type in the passphrase in the beginning of the script.

The problem is that the command on the remote machines requires sudo to run. And at the same time the whole point of the script is to rid the user of having to type in passwords multiple times. Is there way to avoid typing in the password for sudo? Changing permissions of the command on the remote machines is not an option.

vahidg
  • 397
  • 2
  • 7

3 Answers3

8

For sudo you can allow a user to run sudo without asking for the password, try man sudoers. You can edit the file /etc/sudoers by issuing the visudo command. It has to be that special because otherwise the file is not correctly reloaded. The resulting lines (here taken from the examples in the file itself) should be:

## Allows people in group wheel to run all commands
# %wheel    ALL=(ALL)   ALL

## Same thing without a password
%wheel  ALL=(ALL)   NOPASSWD: ALL
DaDaDom
  • 532
  • 6
  • 16
  • Thank you. It's funny since my colleague proposed a solution in the same lines as this, just before you posted your answer. Can you add that the file to edit is `/etc/sudoers` and it can also be edited by running `sudo /usr/sbin/visudo` – vahidg Feb 25 '10 at 10:07
  • 8
    If you know the command you want to run, you might not want to specify ALL commands.. Bit of a security hole, y'know. – Tom O'Connor Feb 25 '10 at 10:43
  • 3
    @Tom O'Connor: Yep, I provided only the needed command. Will put an example here for the sake of completeness: `%wesho ALL=NOPASSWD: /sbin/service httpd` – vahidg Feb 25 '10 at 10:52
  • Ah, fair enough. :) – Tom O'Connor Feb 25 '10 at 11:40
7

@Wesho,

You can do what DaDaDom said (it will work and it is simple) or your may want to beef up your setup by using a PAM module called pam-ssh-agent-auth.

The process for Debian/Ubuntu systems is reasonably simple:

$ sudo aptitude install libssl-dev libpam0g-dev build-essential checkinstall
$ wget "http://downloads.sourceforge.net/project/pamsshagentauth/pam_ssh_agent_auth/v0.9.3/pam_ssh_agent_auth-0.9.3.tar.bz2"
$ tar -xjvf pam_ssh_agent_auth-0.9.3.tar.bz2
$ cd pam_ssh_agent_auth-0.9.3

$ ./configure --libexecdir=/lib/security --with-mantype=man

$ make
$ sudo checkinstall

The edit the sudo configuration:

$ sudo visudo

Add the following:

Defaults env_keep += SSH_AUTH_SOCK

Continue by changing the sudo PAM settings:

$ sudo vi /etc/pam.d/sudo

Add the auth line just above the 2 existing @include lines:

auth [success=2 default=ignore] pam_ssh_agent_auth.so file=~/.ssh/authorized_keys
@include common-auth
@include common-account

Voilà!

sudo with no auth but relying on SSH Agent to perform strong authentication, instead of simply removing the password from the sudo configuration.

ijk
  • 513
  • 4
  • 6
Andre de Miranda
  • 322
  • 2
  • 8
  • 1
    You may also want to check [this](http://serverfault.com/questions/61796/easy-multi-level-authentication-for-sudo/303452#303452) – Andre de Miranda Aug 21 '11 at 05:26
  • 1
    `authorized_keys` MUST be locked down so only root can change it - otherwise you might as well disable the password. – ijk Feb 20 '12 at 23:58
  • [explanation of success=2 syntax](http://serverfault.com/questions/134471/success-n-control-syntax-in-pam-conf-pam-d-files) – ijk Feb 21 '12 at 00:05
2

Andre de Miranda's answer provides a nice solution using pam_ssh_agent_auth, but parts are out of date. Particularly the /etc/pam.d/sudo instructions when using many current Linux versions.

If you're running Ubuntu 12.04 precise, I've actually simplified the process by providing a pam_ssh_agent_auth build out of a ppa: ppa:cpick/pam-ssh-agent-auth.

You can install the package by running:

sudo add-apt-repository ppa:cpick/pam-ssh-agent-auth
sudo apt-get install pam-ssh-agent-auth

After installation, if you'd like to use this PAM module with sudo you'll have to configure sudo's settings and PAM configuration, in Ubuntu 12.04 precise you can do that by creating the following two files:

/etc/sudoers.d/pam-ssh-agent-auth :

Defaults    env_keep+="SSH_AUTH_SOCK"

/etc/pam.d/sudo :

ent#%PAM-1.0

auth       required   pam_env.so readenv=1 user_readenv=0
auth       required   pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0
auth       sufficient pam_ssh_agent_auth.so file=/etc/security/authorized_keys
@include common-auth
@include common-account
@include common-session-noninteractive

If you're using chef, the above process can be automated with my cookbook, found at either of the two following locations:
https://github.com/cpick/pam-ssh-agent-auth
http://community.opscode.com/cookbooks/pam-ssh-agent-auth.

The cookbook's files directory contains the /etc/pam.d/sudo and /etc/sudoers.d/pam-ssh-agent-auth files described above that work with Ubuntu 12.04 precise and should be a helpful starting point when using other versions/distros.

Chris Pick
  • 201
  • 1
  • 4