How to safely pass password to a remote server to execute sudo commands












2















I have a very long bash script, at the end of it is a command to execute sudo commands on a remote server:



10 hours of local processing

ssh user@ip "sudo ls"


I have set up ssh keys to connect to the server and it's working, but it's not enough to run sudo commands. Also because this command is at the end of my script, I don't want to wait for an interactive prompt for the sudo password. Ideally, I would like a prompt for my password at the beginning of the script, store this password in a variable and then pass this variable in my ssh command to execute sudo commands on the remote server.



This is where I'm stuck. I have read countless posts about that but half of them suggest to use this:



ssh $HOST 'echo $PASSWORD | sudo -S $COMMMAND'


which is dangerous since it exposes my password, and half of them suggest to disallow the need for a password for sudo commands on the remote server.



Are these really the only two solutions?










share|improve this question





























    2















    I have a very long bash script, at the end of it is a command to execute sudo commands on a remote server:



    10 hours of local processing

    ssh user@ip "sudo ls"


    I have set up ssh keys to connect to the server and it's working, but it's not enough to run sudo commands. Also because this command is at the end of my script, I don't want to wait for an interactive prompt for the sudo password. Ideally, I would like a prompt for my password at the beginning of the script, store this password in a variable and then pass this variable in my ssh command to execute sudo commands on the remote server.



    This is where I'm stuck. I have read countless posts about that but half of them suggest to use this:



    ssh $HOST 'echo $PASSWORD | sudo -S $COMMMAND'


    which is dangerous since it exposes my password, and half of them suggest to disallow the need for a password for sudo commands on the remote server.



    Are these really the only two solutions?










    share|improve this question



























      2












      2








      2


      1






      I have a very long bash script, at the end of it is a command to execute sudo commands on a remote server:



      10 hours of local processing

      ssh user@ip "sudo ls"


      I have set up ssh keys to connect to the server and it's working, but it's not enough to run sudo commands. Also because this command is at the end of my script, I don't want to wait for an interactive prompt for the sudo password. Ideally, I would like a prompt for my password at the beginning of the script, store this password in a variable and then pass this variable in my ssh command to execute sudo commands on the remote server.



      This is where I'm stuck. I have read countless posts about that but half of them suggest to use this:



      ssh $HOST 'echo $PASSWORD | sudo -S $COMMMAND'


      which is dangerous since it exposes my password, and half of them suggest to disallow the need for a password for sudo commands on the remote server.



      Are these really the only two solutions?










      share|improve this question
















      I have a very long bash script, at the end of it is a command to execute sudo commands on a remote server:



      10 hours of local processing

      ssh user@ip "sudo ls"


      I have set up ssh keys to connect to the server and it's working, but it's not enough to run sudo commands. Also because this command is at the end of my script, I don't want to wait for an interactive prompt for the sudo password. Ideally, I would like a prompt for my password at the beginning of the script, store this password in a variable and then pass this variable in my ssh command to execute sudo commands on the remote server.



      This is where I'm stuck. I have read countless posts about that but half of them suggest to use this:



      ssh $HOST 'echo $PASSWORD | sudo -S $COMMMAND'


      which is dangerous since it exposes my password, and half of them suggest to disallow the need for a password for sudo commands on the remote server.



      Are these really the only two solutions?







      ssh sudo sshpass






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Feb 17 at 17:06









      ctrl-alt-delor

      11.9k42260




      11.9k42260










      asked Feb 17 at 15:47









      SulliSulli

      1112




      1112






















          1 Answer
          1






          active

          oldest

          votes


















          1














          You can add sudo --validate to the start, it will ask for the password at the start, and cache if for (by default) 15 minutes.



          You can edit /etc/sudoers, to add exceptions (commands that can be run without passwords). (This may not be appropriate.)



          You could run the whole thing as root, but then drop privileges, and run a sub-shell, the root shell will just wait for the sub-shell to finish, then do its bit.



          Add an ssh-key for root, so that you can connect as root.






          share|improve this answer


























          • The first and last solutions you suggest are not adapted for running sudo on a remote server, am I right? They will allow to run sudo commands on the local but not remote host. As for the second solution, it is not appropriate for me, I have many different sudo commands to run.

            – Sulli
            Feb 17 at 16:28











          • @Sulli, why are the first and last solutions not adapted for running sudo on a remote server?

            – sudodus
            Feb 17 at 16:53











          • @sudodus Because sudo --validate will cache the password on the local host but not the remote server? Or should I do something like ssh $host "sudo --validate" then run my commands locally then again ssh $host "sudo my_commands" at the end of my script? Would that work or sudo --validate is only for the current session?

            – Sulli
            Feb 17 at 16:58






          • 1





            While it was not designed for remote (as is the case with all commands), it makes no difference. You need to run sudo --validate on the same machine/session that you will later run sudo on. Similar for the 3rd option (it all runs on the remote end).

            – ctrl-alt-delor
            Feb 17 at 16:59











          • Are you saying, that most of the script is running locally, then at the end it connects to the remote, to run one last command with sudo?

            – ctrl-alt-delor
            Feb 17 at 17:02











          Your Answer








          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "106"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: false,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f501182%2fhow-to-safely-pass-password-to-a-remote-server-to-execute-sudo-commands%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          1














          You can add sudo --validate to the start, it will ask for the password at the start, and cache if for (by default) 15 minutes.



          You can edit /etc/sudoers, to add exceptions (commands that can be run without passwords). (This may not be appropriate.)



          You could run the whole thing as root, but then drop privileges, and run a sub-shell, the root shell will just wait for the sub-shell to finish, then do its bit.



          Add an ssh-key for root, so that you can connect as root.






          share|improve this answer


























          • The first and last solutions you suggest are not adapted for running sudo on a remote server, am I right? They will allow to run sudo commands on the local but not remote host. As for the second solution, it is not appropriate for me, I have many different sudo commands to run.

            – Sulli
            Feb 17 at 16:28











          • @Sulli, why are the first and last solutions not adapted for running sudo on a remote server?

            – sudodus
            Feb 17 at 16:53











          • @sudodus Because sudo --validate will cache the password on the local host but not the remote server? Or should I do something like ssh $host "sudo --validate" then run my commands locally then again ssh $host "sudo my_commands" at the end of my script? Would that work or sudo --validate is only for the current session?

            – Sulli
            Feb 17 at 16:58






          • 1





            While it was not designed for remote (as is the case with all commands), it makes no difference. You need to run sudo --validate on the same machine/session that you will later run sudo on. Similar for the 3rd option (it all runs on the remote end).

            – ctrl-alt-delor
            Feb 17 at 16:59











          • Are you saying, that most of the script is running locally, then at the end it connects to the remote, to run one last command with sudo?

            – ctrl-alt-delor
            Feb 17 at 17:02
















          1














          You can add sudo --validate to the start, it will ask for the password at the start, and cache if for (by default) 15 minutes.



          You can edit /etc/sudoers, to add exceptions (commands that can be run without passwords). (This may not be appropriate.)



          You could run the whole thing as root, but then drop privileges, and run a sub-shell, the root shell will just wait for the sub-shell to finish, then do its bit.



          Add an ssh-key for root, so that you can connect as root.






          share|improve this answer


























          • The first and last solutions you suggest are not adapted for running sudo on a remote server, am I right? They will allow to run sudo commands on the local but not remote host. As for the second solution, it is not appropriate for me, I have many different sudo commands to run.

            – Sulli
            Feb 17 at 16:28











          • @Sulli, why are the first and last solutions not adapted for running sudo on a remote server?

            – sudodus
            Feb 17 at 16:53











          • @sudodus Because sudo --validate will cache the password on the local host but not the remote server? Or should I do something like ssh $host "sudo --validate" then run my commands locally then again ssh $host "sudo my_commands" at the end of my script? Would that work or sudo --validate is only for the current session?

            – Sulli
            Feb 17 at 16:58






          • 1





            While it was not designed for remote (as is the case with all commands), it makes no difference. You need to run sudo --validate on the same machine/session that you will later run sudo on. Similar for the 3rd option (it all runs on the remote end).

            – ctrl-alt-delor
            Feb 17 at 16:59











          • Are you saying, that most of the script is running locally, then at the end it connects to the remote, to run one last command with sudo?

            – ctrl-alt-delor
            Feb 17 at 17:02














          1












          1








          1







          You can add sudo --validate to the start, it will ask for the password at the start, and cache if for (by default) 15 minutes.



          You can edit /etc/sudoers, to add exceptions (commands that can be run without passwords). (This may not be appropriate.)



          You could run the whole thing as root, but then drop privileges, and run a sub-shell, the root shell will just wait for the sub-shell to finish, then do its bit.



          Add an ssh-key for root, so that you can connect as root.






          share|improve this answer















          You can add sudo --validate to the start, it will ask for the password at the start, and cache if for (by default) 15 minutes.



          You can edit /etc/sudoers, to add exceptions (commands that can be run without passwords). (This may not be appropriate.)



          You could run the whole thing as root, but then drop privileges, and run a sub-shell, the root shell will just wait for the sub-shell to finish, then do its bit.



          Add an ssh-key for root, so that you can connect as root.







          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited Feb 17 at 17:03

























          answered Feb 17 at 16:01









          ctrl-alt-delorctrl-alt-delor

          11.9k42260




          11.9k42260













          • The first and last solutions you suggest are not adapted for running sudo on a remote server, am I right? They will allow to run sudo commands on the local but not remote host. As for the second solution, it is not appropriate for me, I have many different sudo commands to run.

            – Sulli
            Feb 17 at 16:28











          • @Sulli, why are the first and last solutions not adapted for running sudo on a remote server?

            – sudodus
            Feb 17 at 16:53











          • @sudodus Because sudo --validate will cache the password on the local host but not the remote server? Or should I do something like ssh $host "sudo --validate" then run my commands locally then again ssh $host "sudo my_commands" at the end of my script? Would that work or sudo --validate is only for the current session?

            – Sulli
            Feb 17 at 16:58






          • 1





            While it was not designed for remote (as is the case with all commands), it makes no difference. You need to run sudo --validate on the same machine/session that you will later run sudo on. Similar for the 3rd option (it all runs on the remote end).

            – ctrl-alt-delor
            Feb 17 at 16:59











          • Are you saying, that most of the script is running locally, then at the end it connects to the remote, to run one last command with sudo?

            – ctrl-alt-delor
            Feb 17 at 17:02



















          • The first and last solutions you suggest are not adapted for running sudo on a remote server, am I right? They will allow to run sudo commands on the local but not remote host. As for the second solution, it is not appropriate for me, I have many different sudo commands to run.

            – Sulli
            Feb 17 at 16:28











          • @Sulli, why are the first and last solutions not adapted for running sudo on a remote server?

            – sudodus
            Feb 17 at 16:53











          • @sudodus Because sudo --validate will cache the password on the local host but not the remote server? Or should I do something like ssh $host "sudo --validate" then run my commands locally then again ssh $host "sudo my_commands" at the end of my script? Would that work or sudo --validate is only for the current session?

            – Sulli
            Feb 17 at 16:58






          • 1





            While it was not designed for remote (as is the case with all commands), it makes no difference. You need to run sudo --validate on the same machine/session that you will later run sudo on. Similar for the 3rd option (it all runs on the remote end).

            – ctrl-alt-delor
            Feb 17 at 16:59











          • Are you saying, that most of the script is running locally, then at the end it connects to the remote, to run one last command with sudo?

            – ctrl-alt-delor
            Feb 17 at 17:02

















          The first and last solutions you suggest are not adapted for running sudo on a remote server, am I right? They will allow to run sudo commands on the local but not remote host. As for the second solution, it is not appropriate for me, I have many different sudo commands to run.

          – Sulli
          Feb 17 at 16:28





          The first and last solutions you suggest are not adapted for running sudo on a remote server, am I right? They will allow to run sudo commands on the local but not remote host. As for the second solution, it is not appropriate for me, I have many different sudo commands to run.

          – Sulli
          Feb 17 at 16:28













          @Sulli, why are the first and last solutions not adapted for running sudo on a remote server?

          – sudodus
          Feb 17 at 16:53





          @Sulli, why are the first and last solutions not adapted for running sudo on a remote server?

          – sudodus
          Feb 17 at 16:53













          @sudodus Because sudo --validate will cache the password on the local host but not the remote server? Or should I do something like ssh $host "sudo --validate" then run my commands locally then again ssh $host "sudo my_commands" at the end of my script? Would that work or sudo --validate is only for the current session?

          – Sulli
          Feb 17 at 16:58





          @sudodus Because sudo --validate will cache the password on the local host but not the remote server? Or should I do something like ssh $host "sudo --validate" then run my commands locally then again ssh $host "sudo my_commands" at the end of my script? Would that work or sudo --validate is only for the current session?

          – Sulli
          Feb 17 at 16:58




          1




          1





          While it was not designed for remote (as is the case with all commands), it makes no difference. You need to run sudo --validate on the same machine/session that you will later run sudo on. Similar for the 3rd option (it all runs on the remote end).

          – ctrl-alt-delor
          Feb 17 at 16:59





          While it was not designed for remote (as is the case with all commands), it makes no difference. You need to run sudo --validate on the same machine/session that you will later run sudo on. Similar for the 3rd option (it all runs on the remote end).

          – ctrl-alt-delor
          Feb 17 at 16:59













          Are you saying, that most of the script is running locally, then at the end it connects to the remote, to run one last command with sudo?

          – ctrl-alt-delor
          Feb 17 at 17:02





          Are you saying, that most of the script is running locally, then at the end it connects to the remote, to run one last command with sudo?

          – ctrl-alt-delor
          Feb 17 at 17:02


















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Unix & Linux Stack Exchange!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f501182%2fhow-to-safely-pass-password-to-a-remote-server-to-execute-sudo-commands%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          How to make a Squid Proxy server?

          Is this a new Fibonacci Identity?

          19世紀