ssh + sudo + su into login shell

10

2

I have several machines I ssh into regularly only for the purpose of using sudo su to spend the rest of my session logged in as some special-purpose user. The general workflow is:

mymachine:~ me$ ssh me@othermachine
othermachine:~ me$ sudo su - specialuser # note: no password needed
othermachine:~ specialuser$ # do stuff

I'd like to boil this down into a one-liner that I can alias, so I can just set up an alias for each machine and get to where I need to be in a single command, without having to type the sudo su - specialuser boilerplate. I could maybe set up me@othermachine to sudo su on login, but I'd like to keep the flexibility to operate as me if I need to.

(Note: I don't have any control over othermachine or the way it's set up; this is an established workflow that I came in on when I was hired.)

My first thought was just

ssh me@othermachine "sudo su - specialuser"

and this sort of works, but it gets me no prompt, ^C kills it and logs me out, and I assume various other things are probably wrong too.

After reading Run Remote ssh command with Full Login Shell I tried a couple of more exotic things like

ssh me@othermachine 'bash -l -c "sudo su - specialuser"'

and

ssh me@othermachine 'bash -l -c "sudo su - specialuser"; bash'

-- neither of which I expected to work, and they didn't, but I thought I should try them for completeness (and to avoid close-as-duplicate); they produced the same prompt-less shell (the second with an added bonus prompt-less shell for me after exit-ing from the one for specialuser). And I tried

ssh me@othermachine "sudo su - specialuser -c bash -l"

but it just got me

sudo: no tty present and no askpass program specified

Better ideas?

David Moles

Posted 2015-02-06T22:56:34.283

Reputation: 255

What about adding the sudo command to ~/.profile after a short delay? – Alex – 2015-02-06T23:09:24.280

The idea being that in the odd case I don't want to sudo I should hit ^C? If I can't come up with anything better I might try that. – David Moles – 2015-02-06T23:13:45.943

1You could su me from specialuser. Or in .profile or .bashrc, if you don't follow the sudo with exit, your first exit will take you back to me, with a second to end the session. Or even use a flag file, so sudo is preceded by [ -f ~/.keep.me ] && del ~/.keep.me and followed by [ \! -f ~/.keep.me ] && exit: you then need only a script or alias for a command me as :>~/.keep.me; exit. Now exit will end your session and me will go back to your login session. – AFH – 2015-02-06T23:52:30.563

1

Please consider to write in your final version /bin/bash and not a simple bash for security reason (to avoid trojan ). Especially if there is a sudo before...

– Hastur – 2015-02-07T10:42:16.453

Answers

9

This line should works for you

ssh -t me@machine "sudo su - specialuser"

This solution give me a prompt or not depending on -t switch

ssh -t me@machine "/bin/bash -l"   # Give me a prompt

ssh  me@machine "/bin/bash -l"     # Give me NO prompt
ssh  me@machine                    # Give me NO prompt

Notes from man ssh

-t
Force pseudo-tty allocation. This can be used to execute arbitrary screen-based programs on a remote machine, which can be very useful, e.g. when implementing menu services. Multiple -t options force tty allocation, even if ssh has no local tty.

Hastur

Posted 2015-02-06T22:56:34.283

Reputation: 15 043

This works for me ... can it be done via host specific ~/.ssh/config setting, too? – hey – 2019-01-06T21:22:00.340

1@where, yes you can do that with RequestTTY force (which equals -t) and RemoteCommand sudo su - specialuser! However, be aware that other programs that use SSH (like scp, rsync, etc) will not work properly for this host any more. – Robert Riedl – 2019-07-02T06:50:31.153

Asked: 2015-02-06T22:56:34.283

Viewed: 18 602 times

Active: 2015-02-07T11:09:43.787