8
3
What is a good setup that allows automatic execution of a command or a script on a remote server with root
privileges using SSH?
I'm aware (only vaguely for some the options) of the following options:
- Allowing a direct login by
root
(PermitRootLogin
) (and possibly forcing key authentication). - Configuring
sudo
not to require a password (NOPASSWD
flag insudoers
) and TTY (requiretty
flag). - Configuring
sudo
to allow an execution of specific commands/scripts, when authenticated with a specific private key. - Setting the script owner as
root
and setting setuid permission.
But first, I'm not sure what are security consequences of these. For example I know that allowing root
login is frowned upon. But I'm not sure, if that is not an obsolete point of view. From what I've understood, it looks like a password authentication is the danger. With public key authentication, the direct root
login might be ok. And for some of the options, particularly the sudo
, I'm not sure even about the configuration needed. While I am able to google all that, there might be security considerations that I may miss, that's why I'm asking for experts' opinion.
Note, that I'm asking for a server-side setup. The execution will be triggered by a program, not a tool like ssh
, so I'm not looking for things like automatic client authentication.
Background: Being active in ssh
tag on Stack Overflow, one of frequent questions that come up, are about various hacks that people attempt, while trying to execute a command/script (or even an SFTP server) over an SSH on a remote Unix/Linux server server using a root
account using various programming languages (C#, Java, VB.NET, Python, etc.) and SSH libraries (SSH.NET, JSch, Paramiko, etc.).
The implementations, that the people attempt, usually try using su
or sudo
. These then prompt for a password. So the implementations then try to feed the password to the command input. As su
and sudo
often require terminal emulation for the password prompt, the implementation have to require PTY. Which in turn causes further troubles, as sessions with the terminal emulation often employ interactive features, like ANSI escape codes, pagination, etc. All these lead to loads of further unreliable hacks that attempt to remove or even interpret the ANSI escape codes or simulate large enough terminal to avoid pagination.
Few examples out of many:
- “sudo” command executed with JSch requires password, even when the password is not required in an interactive SSH session
- Getting “must be run from a terminal” when switching to root user using Paramiko module in Python
- Executing command using “su -l” in SSH using Python
- Using JSch to SFTP when one must also switch user
While I usually can provide a help with implementing these hacks, I also usually add a suggestion that there are better ways than automating sudo
/su
. But I'm not actually confident about providing details of those purported "better ways".
So I'm looking for a canonical answer from a Super User perspective, which can then be referred to and adapted for Stack Overflow purposes.
You may already know, but If you run
sudo visudo
and addusername ALL=(ALL) NOPASSWD:ALL
then that user will be able to execute sudo commands with no prompt or password. I have my internal apache user running like this. I have an internal dashboard that has a few buttons to start up game servers, it just executes the relevant bash command with the apache user – Panomosh – 2019-09-11T10:25:16.1931@Panomosh Thanks for your comment. Yes, that's what I was referring to by "Configuring
sudo
not to require a password ..." - Though I believe that this is probably one of the less secure options. But definitely, I this option should be included in the answer I'm hoping for :) – Martin Prikryl – 2019-09-11T11:05:56.670The
ALL=
directive can be refined to allowsudo
without password only for the listed command-lines (including arguments) when run by a particular user. This looks secure enough for me. – harrymc – 2019-09-16T08:10:45.433@harrymc Yes. That's my favorite option now. But as I have commented already at the answer by davidgo, I'd like the answer to show how to do that. – Martin Prikryl – 2019-09-16T08:12:45.410
There is already an answer for that in Unix Stackexchange. I could add it here if you like.
– harrymc – 2019-09-16T08:16:42.033@harrymc It would be nice. I'm bit confused by the example amended to the davidgo answer. It does not seem to match the answer you have linked. But it can just me not understanding the sudoers syntax. Also it would be nice if someone compares the use of sudo with "Setting the script owner as root and setting setuid permission.", which seem quite similar to me (from a functional and security point of view). Does sudo allow executing a script/command with any arguments (what root-owner script does)? – Martin Prikryl – 2019-09-16T09:19:36.023