How to safely pass password to a remote server to execute sudo commands
I have a very long bash script, at the end of it is a command to execute sudo commands on a remote server:
10 hours of local processing
…
ssh user@ip "sudo ls"
I have set up ssh keys to connect to the server and it's working, but it's not enough to run sudo commands. Also because this command is at the end of my script, I don't want to wait for an interactive prompt for the sudo password. Ideally, I would like a prompt for my password at the beginning of the script, store this password in a variable and then pass this variable in my ssh command to execute sudo commands on the remote server.
This is where I'm stuck. I have read countless posts about that but half of them suggest to use this:
ssh $HOST 'echo $PASSWORD | sudo -S $COMMMAND'
which is dangerous since it exposes my password, and half of them suggest to disallow the need for a password for sudo commands on the remote server.
Are these really the only two solutions?
ssh sudo sshpass
add a comment |
I have a very long bash script, at the end of it is a command to execute sudo commands on a remote server:
10 hours of local processing
…
ssh user@ip "sudo ls"
I have set up ssh keys to connect to the server and it's working, but it's not enough to run sudo commands. Also because this command is at the end of my script, I don't want to wait for an interactive prompt for the sudo password. Ideally, I would like a prompt for my password at the beginning of the script, store this password in a variable and then pass this variable in my ssh command to execute sudo commands on the remote server.
This is where I'm stuck. I have read countless posts about that but half of them suggest to use this:
ssh $HOST 'echo $PASSWORD | sudo -S $COMMMAND'
which is dangerous since it exposes my password, and half of them suggest to disallow the need for a password for sudo commands on the remote server.
Are these really the only two solutions?
ssh sudo sshpass
add a comment |
I have a very long bash script, at the end of it is a command to execute sudo commands on a remote server:
10 hours of local processing
…
ssh user@ip "sudo ls"
I have set up ssh keys to connect to the server and it's working, but it's not enough to run sudo commands. Also because this command is at the end of my script, I don't want to wait for an interactive prompt for the sudo password. Ideally, I would like a prompt for my password at the beginning of the script, store this password in a variable and then pass this variable in my ssh command to execute sudo commands on the remote server.
This is where I'm stuck. I have read countless posts about that but half of them suggest to use this:
ssh $HOST 'echo $PASSWORD | sudo -S $COMMMAND'
which is dangerous since it exposes my password, and half of them suggest to disallow the need for a password for sudo commands on the remote server.
Are these really the only two solutions?
ssh sudo sshpass
I have a very long bash script, at the end of it is a command to execute sudo commands on a remote server:
10 hours of local processing
…
ssh user@ip "sudo ls"
I have set up ssh keys to connect to the server and it's working, but it's not enough to run sudo commands. Also because this command is at the end of my script, I don't want to wait for an interactive prompt for the sudo password. Ideally, I would like a prompt for my password at the beginning of the script, store this password in a variable and then pass this variable in my ssh command to execute sudo commands on the remote server.
This is where I'm stuck. I have read countless posts about that but half of them suggest to use this:
ssh $HOST 'echo $PASSWORD | sudo -S $COMMMAND'
which is dangerous since it exposes my password, and half of them suggest to disallow the need for a password for sudo commands on the remote server.
Are these really the only two solutions?
ssh sudo sshpass
ssh sudo sshpass
edited Feb 17 at 17:06
ctrl-alt-delor
11.9k42260
11.9k42260
asked Feb 17 at 15:47
SulliSulli
1112
1112
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
You can add sudo --validate
to the start, it will ask for the password at the start, and cache if for (by default) 15 minutes.
You can edit /etc/sudoers
, to add exceptions (commands that can be run without passwords). (This may not be appropriate.)
You could run the whole thing as root, but then drop privileges, and run a sub-shell, the root shell will just wait for the sub-shell to finish, then do its bit.
Add an ssh-key for root, so that you can connect as root.
The first and last solutions you suggest are not adapted for running sudo on a remote server, am I right? They will allow to run sudo commands on the local but not remote host. As for the second solution, it is not appropriate for me, I have many different sudo commands to run.
– Sulli
Feb 17 at 16:28
@Sulli, why are the first and last solutions not adapted for running sudo on a remote server?
– sudodus
Feb 17 at 16:53
@sudodus Becausesudo --validate
will cache the password on the local host but not the remote server? Or should I do something likessh $host "sudo --validate"
then run my commands locally then againssh $host "sudo my_commands"
at the end of my script? Would that work orsudo --validate
is only for the current session?
– Sulli
Feb 17 at 16:58
1
While it was not designed for remote (as is the case with all commands), it makes no difference. You need to runsudo --validate
on the same machine/session that you will later runsudo
on. Similar for the 3rd option (it all runs on the remote end).
– ctrl-alt-delor
Feb 17 at 16:59
Are you saying, that most of the script is running locally, then at the end it connects to the remote, to run one last command withsudo
?
– ctrl-alt-delor
Feb 17 at 17:02
|
show 5 more comments
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f501182%2fhow-to-safely-pass-password-to-a-remote-server-to-execute-sudo-commands%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
You can add sudo --validate
to the start, it will ask for the password at the start, and cache if for (by default) 15 minutes.
You can edit /etc/sudoers
, to add exceptions (commands that can be run without passwords). (This may not be appropriate.)
You could run the whole thing as root, but then drop privileges, and run a sub-shell, the root shell will just wait for the sub-shell to finish, then do its bit.
Add an ssh-key for root, so that you can connect as root.
The first and last solutions you suggest are not adapted for running sudo on a remote server, am I right? They will allow to run sudo commands on the local but not remote host. As for the second solution, it is not appropriate for me, I have many different sudo commands to run.
– Sulli
Feb 17 at 16:28
@Sulli, why are the first and last solutions not adapted for running sudo on a remote server?
– sudodus
Feb 17 at 16:53
@sudodus Becausesudo --validate
will cache the password on the local host but not the remote server? Or should I do something likessh $host "sudo --validate"
then run my commands locally then againssh $host "sudo my_commands"
at the end of my script? Would that work orsudo --validate
is only for the current session?
– Sulli
Feb 17 at 16:58
1
While it was not designed for remote (as is the case with all commands), it makes no difference. You need to runsudo --validate
on the same machine/session that you will later runsudo
on. Similar for the 3rd option (it all runs on the remote end).
– ctrl-alt-delor
Feb 17 at 16:59
Are you saying, that most of the script is running locally, then at the end it connects to the remote, to run one last command withsudo
?
– ctrl-alt-delor
Feb 17 at 17:02
|
show 5 more comments
You can add sudo --validate
to the start, it will ask for the password at the start, and cache if for (by default) 15 minutes.
You can edit /etc/sudoers
, to add exceptions (commands that can be run without passwords). (This may not be appropriate.)
You could run the whole thing as root, but then drop privileges, and run a sub-shell, the root shell will just wait for the sub-shell to finish, then do its bit.
Add an ssh-key for root, so that you can connect as root.
The first and last solutions you suggest are not adapted for running sudo on a remote server, am I right? They will allow to run sudo commands on the local but not remote host. As for the second solution, it is not appropriate for me, I have many different sudo commands to run.
– Sulli
Feb 17 at 16:28
@Sulli, why are the first and last solutions not adapted for running sudo on a remote server?
– sudodus
Feb 17 at 16:53
@sudodus Becausesudo --validate
will cache the password on the local host but not the remote server? Or should I do something likessh $host "sudo --validate"
then run my commands locally then againssh $host "sudo my_commands"
at the end of my script? Would that work orsudo --validate
is only for the current session?
– Sulli
Feb 17 at 16:58
1
While it was not designed for remote (as is the case with all commands), it makes no difference. You need to runsudo --validate
on the same machine/session that you will later runsudo
on. Similar for the 3rd option (it all runs on the remote end).
– ctrl-alt-delor
Feb 17 at 16:59
Are you saying, that most of the script is running locally, then at the end it connects to the remote, to run one last command withsudo
?
– ctrl-alt-delor
Feb 17 at 17:02
|
show 5 more comments
You can add sudo --validate
to the start, it will ask for the password at the start, and cache if for (by default) 15 minutes.
You can edit /etc/sudoers
, to add exceptions (commands that can be run without passwords). (This may not be appropriate.)
You could run the whole thing as root, but then drop privileges, and run a sub-shell, the root shell will just wait for the sub-shell to finish, then do its bit.
Add an ssh-key for root, so that you can connect as root.
You can add sudo --validate
to the start, it will ask for the password at the start, and cache if for (by default) 15 minutes.
You can edit /etc/sudoers
, to add exceptions (commands that can be run without passwords). (This may not be appropriate.)
You could run the whole thing as root, but then drop privileges, and run a sub-shell, the root shell will just wait for the sub-shell to finish, then do its bit.
Add an ssh-key for root, so that you can connect as root.
edited Feb 17 at 17:03
answered Feb 17 at 16:01
ctrl-alt-delorctrl-alt-delor
11.9k42260
11.9k42260
The first and last solutions you suggest are not adapted for running sudo on a remote server, am I right? They will allow to run sudo commands on the local but not remote host. As for the second solution, it is not appropriate for me, I have many different sudo commands to run.
– Sulli
Feb 17 at 16:28
@Sulli, why are the first and last solutions not adapted for running sudo on a remote server?
– sudodus
Feb 17 at 16:53
@sudodus Becausesudo --validate
will cache the password on the local host but not the remote server? Or should I do something likessh $host "sudo --validate"
then run my commands locally then againssh $host "sudo my_commands"
at the end of my script? Would that work orsudo --validate
is only for the current session?
– Sulli
Feb 17 at 16:58
1
While it was not designed for remote (as is the case with all commands), it makes no difference. You need to runsudo --validate
on the same machine/session that you will later runsudo
on. Similar for the 3rd option (it all runs on the remote end).
– ctrl-alt-delor
Feb 17 at 16:59
Are you saying, that most of the script is running locally, then at the end it connects to the remote, to run one last command withsudo
?
– ctrl-alt-delor
Feb 17 at 17:02
|
show 5 more comments
The first and last solutions you suggest are not adapted for running sudo on a remote server, am I right? They will allow to run sudo commands on the local but not remote host. As for the second solution, it is not appropriate for me, I have many different sudo commands to run.
– Sulli
Feb 17 at 16:28
@Sulli, why are the first and last solutions not adapted for running sudo on a remote server?
– sudodus
Feb 17 at 16:53
@sudodus Becausesudo --validate
will cache the password on the local host but not the remote server? Or should I do something likessh $host "sudo --validate"
then run my commands locally then againssh $host "sudo my_commands"
at the end of my script? Would that work orsudo --validate
is only for the current session?
– Sulli
Feb 17 at 16:58
1
While it was not designed for remote (as is the case with all commands), it makes no difference. You need to runsudo --validate
on the same machine/session that you will later runsudo
on. Similar for the 3rd option (it all runs on the remote end).
– ctrl-alt-delor
Feb 17 at 16:59
Are you saying, that most of the script is running locally, then at the end it connects to the remote, to run one last command withsudo
?
– ctrl-alt-delor
Feb 17 at 17:02
The first and last solutions you suggest are not adapted for running sudo on a remote server, am I right? They will allow to run sudo commands on the local but not remote host. As for the second solution, it is not appropriate for me, I have many different sudo commands to run.
– Sulli
Feb 17 at 16:28
The first and last solutions you suggest are not adapted for running sudo on a remote server, am I right? They will allow to run sudo commands on the local but not remote host. As for the second solution, it is not appropriate for me, I have many different sudo commands to run.
– Sulli
Feb 17 at 16:28
@Sulli, why are the first and last solutions not adapted for running sudo on a remote server?
– sudodus
Feb 17 at 16:53
@Sulli, why are the first and last solutions not adapted for running sudo on a remote server?
– sudodus
Feb 17 at 16:53
@sudodus Because
sudo --validate
will cache the password on the local host but not the remote server? Or should I do something like ssh $host "sudo --validate"
then run my commands locally then again ssh $host "sudo my_commands"
at the end of my script? Would that work or sudo --validate
is only for the current session?– Sulli
Feb 17 at 16:58
@sudodus Because
sudo --validate
will cache the password on the local host but not the remote server? Or should I do something like ssh $host "sudo --validate"
then run my commands locally then again ssh $host "sudo my_commands"
at the end of my script? Would that work or sudo --validate
is only for the current session?– Sulli
Feb 17 at 16:58
1
1
While it was not designed for remote (as is the case with all commands), it makes no difference. You need to run
sudo --validate
on the same machine/session that you will later run sudo
on. Similar for the 3rd option (it all runs on the remote end).– ctrl-alt-delor
Feb 17 at 16:59
While it was not designed for remote (as is the case with all commands), it makes no difference. You need to run
sudo --validate
on the same machine/session that you will later run sudo
on. Similar for the 3rd option (it all runs on the remote end).– ctrl-alt-delor
Feb 17 at 16:59
Are you saying, that most of the script is running locally, then at the end it connects to the remote, to run one last command with
sudo
?– ctrl-alt-delor
Feb 17 at 17:02
Are you saying, that most of the script is running locally, then at the end it connects to the remote, to run one last command with
sudo
?– ctrl-alt-delor
Feb 17 at 17:02
|
show 5 more comments
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f501182%2fhow-to-safely-pass-password-to-a-remote-server-to-execute-sudo-commands%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown