Ruby + SSH + Sudo

Hi all,

I am developping and application that connect through ssh to a host and
then try to launch a command with sudo.
I am using the net/ssh library, and I use the key-rsa authentication to
connect (so no password needed).


Net::SSH.start(host.name) do |session|
shell = session.shell.sync
shell.send_command(“sudo ps -ef”)
shell.exit
end
end

So the code is locked to the send_command as the host is waiting me to
fill the password. But I don’t find anyway of filling it. “.send_data”
doesn’t work.

Did I missed something ?

Thanks

Damien,

If you are truly using key authentication, you should not be prompted
for a
password. Since you are being prompted, you will either need to use a
“here” document or expect to provide the password.

Ron

On Mon, Aug 28, 2006, Ron Reidy wrote:

Damien,

If you are truly using key authentication, you should not be prompted for a
password. Since you are being prompted, you will either need to use a
“here” document or expect to provide the password.

The problem is that his script is waiting for the sudo password, not the
ssh password.

You can set the sudoers file to not require a password for certain users
(or groups, or commands, whatever) with the NOPASSWD flag. Check the
sudoers man page for more.

Ben

unknown wrote:

fill the password. But I don’t find anyway of filling it. “.send_data”
doesn’t work.

Did I missed something ?

The host is waiting for the ssh password or the sudo password? It may
not
meet your security requirements, but you could configure sudoers to
allow
that one user to run that small number of commands without a password:

Hi all,

Thanks for your answers. The script was waiting for the sudo password.
I thought there was a way to provide the password manually with ruby but
it seems that there is not.

So I modified the sudoers for not asking password.

there is a way to pass the password in using sudo. I forget the
syntax but the man page should have it. If you’re still curious
tomorrow, I’ll dig up some code I wrote to do exactly this.

Matt

fill the password. But I don’t find anyway of filling it. “.send_data”
doesn’t work.

Did I missed something ?

The host is waiting for the ssh password or the sudo password? It may
not
meet your security requirements, but you could configure sudoers to
allow
that one user to run that small number of commands without a password:

On 9/7/06, Matt R. [email protected] wrote:

there is a way to pass the password in using sudo. I forget the
syntax but the man page should have it. If you’re still curious
tomorrow, I’ll dig up some code I wrote to do exactly this.

FWIW, I can’t for the life of me find any options in man sudo (on an
Ubuntu Dapper) which allows the password to be given as an arg. The
only possibility might the the -a option

-a The -a (authentication type) option causes sudo to use the specified
authentication type when validating the user, as allowed by
/etc/login.conf. The system administrator may specify a list of
sudo-specific authentication methods by adding an “auth-sudo”
entry
in /etc/login.conf. This option is only available on systems
that support
BSD authentication where sudo has been configured with the
–with-bsdauth option.

This MAY allow it but it seems to require a specific system
configuration.


Rick DeNatale

My blog on Ruby
http://talklikeaduck.denhaven2.com/

I am still curious =)

You can use a here document to pass the password, or use expect.

rr

On 9/8/06, Alex LeDonne [email protected] wrote:

On 9/7/06, Matt R. [email protected] wrote:

there is a way to pass the password in using sudo. I forget the
syntax but the man page should have it. If you’re still curious
tomorrow, I’ll dig up some code I wrote to do exactly this.

Matt

On my system, according to man sudo, -S causes sudo to read the
password from STDIN.

Yep, missed that one.

So:

echo secretPasswd | ssh -S command…

should do the trick


Rick DeNatale

My blog on Ruby
http://talklikeaduck.denhaven2.com/

On 9/9/06, Rick DeNatale [email protected] wrote:
.

Yep, missed that one.

So:

echo secretPasswd | ssh -S command…

s/ssh/sudo/

Rick DeNatale wrote:

Yep, missed that one.

So:

echo secretPasswd | ssh -S command…

should do the trick

And hope no one does a ps -a at the time and get account pwd.

Might be best to use separate account with sudo privs without need of
pwd.

Just my 0.02 cents

On 9/15/06, Thomas [email protected] wrote:

password from STDIN.
And hope no one does a ps -a at the time and get account pwd.

Might be best to use separate account with sudo privs without need of pwd.

Just my 0.02 cents

Except this was [implicitly] in the context of executing the command
from within a program.

It’s an interesting thought though I’m not even sure that it’s an
issue if issued from the command line, this is on linux:

rick@frodo:/public/rubyscripts$ echo hello world | ruby -e
“sleep(10);puts readlines.join(’ ').chomp” & ps aux | grep hello
[1] 5136
rick 5138 0.0 0.1 2876 808 pts/2 S+ 16:27 0:00 grep
hello
rick@frodo:/public/rubyscripts$ hello world

Where the hello world showed up after the command prompt 10 seconds
later.


Rick DeNatale

My blog on Ruby
http://talklikeaduck.denhaven2.com/

On 9/7/06, Matt R. [email protected] wrote:

there is a way to pass the password in using sudo. I forget the
syntax but the man page should have it. If you’re still curious
tomorrow, I’ll dig up some code I wrote to do exactly this.

Matt

On my system, according to man sudo, -S causes sudo to read the
password from STDIN.

-A

Sry, was really a backbone answer without thought.

One of the old hazards with using passwords on any kind of command line
is the risk of exposing it. I just never do it to be sure. I do not know
how big the risk really is today with current tools. Good old days was
full of shellscripts with all kind of obscure environment variables and
other crap.

On the other hand i do not see the problem with invoking it password
free, even if it’s within a app. Specific account, ssh logon via
embedded pwd or (even better if supported) keyfile. Sudo without
password. Sounds solid to me without the need to risk/expose anything.
And since you ssh anyway, you don’t need to stay in the boundaries of
same account.

Well, perhaps a dead horse anyhow, hope the original issue have been
resolved. This is after all not a Ruby-specific issue but rather a linux
opinion thingy.

Still learning Ruby, and having lots of fun.

/Thomas

Sry, was really a backbone answer without thought.

One of the old hazards with using passwords on any kind of command line
is the risk of exposing it. I just never do it to be sure. I do not know
how big the risk really is today with current tools. Good old days was
full of shellscripts with all kind of obscure environment variables and
other crap.

On the other hand i do not see the problem with invoking it password
free, even if it’s within a app. Specific account, ssh logon via
embedded pwd or (even better if supported) keyfile. Sudo without
password. Sounds solid to me without the need to risk/expose anything.
And since you ssh anyway, you don’t need to stay in the boundaries of
same account.

Well, perhaps a dead horse anyhow, hope the original issue have been
resolved. This is after all not a Ruby-specific issue but rather a linux
opinion thingy.

Still learning Ruby, and having lots of fun.

/Thomas