How to remote execute ssh command a sudo command without password

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
0
down vote

favorite
2












I'm not exactly sure to title this question, but let me explain.



Situation:
I have a linux (debian based) server which is configured to allow SSH session to the user 'admin', but not the user 'root'. Both these accounts are linked somehow because they share the same password.



During an SSH session as admin, 'sudo' is required to run commands, unless I switch to the user 'root'.



I have some services on which I need to run now and then, or even at system startup. I'm currently using private/public key mechanism to remote execute commands on the server. Some of the commands are manually typed, others are shell scripts that I execute.
Currently the server still asks for password when a command has uses sudo.



Question:
How can remote execute as user 'admin' without supplying the password?
Is it possible to use a private/public key to satisfy sudo?
Or perhaps even a way to start shell scripts as the user 'root'?



Is it even possible to avoid having to type the password using sudo? If not, are they other alternatives for situation like mine?










share|improve this question

















  • 3




    This depends on the configuration of sudo on the remote host.
    – Kusalananda
    Oct 3 '17 at 8:13














up vote
0
down vote

favorite
2












I'm not exactly sure to title this question, but let me explain.



Situation:
I have a linux (debian based) server which is configured to allow SSH session to the user 'admin', but not the user 'root'. Both these accounts are linked somehow because they share the same password.



During an SSH session as admin, 'sudo' is required to run commands, unless I switch to the user 'root'.



I have some services on which I need to run now and then, or even at system startup. I'm currently using private/public key mechanism to remote execute commands on the server. Some of the commands are manually typed, others are shell scripts that I execute.
Currently the server still asks for password when a command has uses sudo.



Question:
How can remote execute as user 'admin' without supplying the password?
Is it possible to use a private/public key to satisfy sudo?
Or perhaps even a way to start shell scripts as the user 'root'?



Is it even possible to avoid having to type the password using sudo? If not, are they other alternatives for situation like mine?










share|improve this question

















  • 3




    This depends on the configuration of sudo on the remote host.
    – Kusalananda
    Oct 3 '17 at 8:13












up vote
0
down vote

favorite
2









up vote
0
down vote

favorite
2






2





I'm not exactly sure to title this question, but let me explain.



Situation:
I have a linux (debian based) server which is configured to allow SSH session to the user 'admin', but not the user 'root'. Both these accounts are linked somehow because they share the same password.



During an SSH session as admin, 'sudo' is required to run commands, unless I switch to the user 'root'.



I have some services on which I need to run now and then, or even at system startup. I'm currently using private/public key mechanism to remote execute commands on the server. Some of the commands are manually typed, others are shell scripts that I execute.
Currently the server still asks for password when a command has uses sudo.



Question:
How can remote execute as user 'admin' without supplying the password?
Is it possible to use a private/public key to satisfy sudo?
Or perhaps even a way to start shell scripts as the user 'root'?



Is it even possible to avoid having to type the password using sudo? If not, are they other alternatives for situation like mine?










share|improve this question













I'm not exactly sure to title this question, but let me explain.



Situation:
I have a linux (debian based) server which is configured to allow SSH session to the user 'admin', but not the user 'root'. Both these accounts are linked somehow because they share the same password.



During an SSH session as admin, 'sudo' is required to run commands, unless I switch to the user 'root'.



I have some services on which I need to run now and then, or even at system startup. I'm currently using private/public key mechanism to remote execute commands on the server. Some of the commands are manually typed, others are shell scripts that I execute.
Currently the server still asks for password when a command has uses sudo.



Question:
How can remote execute as user 'admin' without supplying the password?
Is it possible to use a private/public key to satisfy sudo?
Or perhaps even a way to start shell scripts as the user 'root'?



Is it even possible to avoid having to type the password using sudo? If not, are they other alternatives for situation like mine?







linux debian ssh sudo remote






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Oct 3 '17 at 8:06









izack

312




312







  • 3




    This depends on the configuration of sudo on the remote host.
    – Kusalananda
    Oct 3 '17 at 8:13












  • 3




    This depends on the configuration of sudo on the remote host.
    – Kusalananda
    Oct 3 '17 at 8:13







3




3




This depends on the configuration of sudo on the remote host.
– Kusalananda
Oct 3 '17 at 8:13




This depends on the configuration of sudo on the remote host.
– Kusalananda
Oct 3 '17 at 8:13










4 Answers
4






active

oldest

votes

















up vote
6
down vote



accepted










you can tell sudo to skip password for some command.



e.g. in /etc/sudoers



archemar ALL = (www-data) NOPASSWD: /bin/rm -rf /var/www/log/upload.*


this allow me to use



sudo -u www-data /bin/rm -rf /var/www/log/upload.*


as archemar without password.



Note that



sudo -u www-data rm -rf /var/www/log/upload.*


won't work (will ask a password) as rm differ from /bin/rm.



Be sure to edit /etc/sudoers using visudo command.



Once you've reach advanced level, you might whish to have your own sudo files in /etc/sudoers.d.






share|improve this answer






















  • This might just be what I'm looking for. I will have to put it to test and see.
    – izack
    Oct 3 '17 at 8:45










  • This was a great input. Thank you so much. Luckily I discovered the dangers of editing that file before actually doing it. For future visitors, you MUST use the 'visudo' tool to edit, and be careful not to change the owner of the file or you risk lockout.
    – izack
    Oct 4 '17 at 7:24

















up vote
0
down vote













The most simple way is to provide password from stdin if your sudo supports that (-S key)



ssh -t admin@remotehost "echo <yourpassword> |sudo -S <yourcommand>"





share|improve this answer
















  • 1




    My sudo does support the -S key. Good to know about this. I will keep this as an alternative. because generally I prefer avoiding to type my root password at all. But thanks for the input
    – izack
    Oct 3 '17 at 8:41






  • 1




    This is bad because the password will be shown in many places (on screen, in process list, in history files)
    – Patrick Mevzek
    Oct 8 '17 at 1:12

















up vote
0
down vote













To add to Archemar's answer, sudo asks for the password of the user running sudo, not the user the command will be run as. You say that the 'admin' and 'root' accounts are 'linked' and share the same password. If you have come to this conclusion based on sudo accepting the password for the 'admin' account (and the password sudo accepts changing when the password for 'admin' is changed), this is normal behaviour for sudo.






share|improve this answer




















  • Yes, I came to this conclusion based on sudo accepting the same password for both admin and root user. I never changed the password since I initially set it and it was through an GUI so this link is only simulated by setting the password on both user accounts. I think this was done to allow the installation of packages without implicitly inheriting root permission
    – izack
    Oct 9 '17 at 14:17


















up vote
0
down vote













If the accounts are linked somehow it makes no sense to allow ssh for one and not the other. Here is what I would do instead:



  • enable ssh for root, allowing only access with ssh keys and not with a password

  • create a new key that will be used only for your specific command

  • put the key and the command you need to execute in authorized_keys of root, so that as soon as a connection is made with this key, the command is launched.

This is secure because in that way the caller can not have a shell nor execute any other command (even if he provides one).



You can see an example here: https://stackoverflow.com/questions/402615/how-to-restrict-ssh-users-to-a-predefined-set-of-commands-after-login with the command= syntax. You can also do the same thing by embedding the command in the certificate if you use certificates instead of keys, or do it globally using the configuration option ForceCommand



See http://larstobi.blogspot.com/2011/01/restrict-ssh-access-to-one-command-but.html for another example (which illustrates that you need to take into account parameters of your command)






share|improve this answer






















  • Hi Patrick. I did some digging and I now believe the accounts aren't linked per-se but rather just share the same password. Changing 1, causes the other to change. But yes, it does not make sense when both share the same password, as getting hold of admin password will let you act as root anyway. Your solution sounds interesting. How do I setup a key that will be used only for specific command or commands? Any example or link to resource will be greatly appreciated.
    – izack
    Oct 9 '17 at 14:11










  • I edited my answer with more info. Your case about one password for two accounts is strange. Are you sure they are not the same account? The name does not count, you have to compare their UID. Launch command id under both account and compare the result at beginning (uid=...)
    – Patrick Mevzek
    Oct 9 '17 at 14:34










  • Thanks for the resource. I checked the uid and they do not match. So definitely no the same account
    – izack
    Oct 10 '17 at 8:55










Your Answer







StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: false,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













 

draft saved


draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f395776%2fhow-to-remote-execute-ssh-command-a-sudo-command-without-password%23new-answer', 'question_page');

);

Post as a guest






























4 Answers
4






active

oldest

votes








4 Answers
4






active

oldest

votes









active

oldest

votes






active

oldest

votes








up vote
6
down vote



accepted










you can tell sudo to skip password for some command.



e.g. in /etc/sudoers



archemar ALL = (www-data) NOPASSWD: /bin/rm -rf /var/www/log/upload.*


this allow me to use



sudo -u www-data /bin/rm -rf /var/www/log/upload.*


as archemar without password.



Note that



sudo -u www-data rm -rf /var/www/log/upload.*


won't work (will ask a password) as rm differ from /bin/rm.



Be sure to edit /etc/sudoers using visudo command.



Once you've reach advanced level, you might whish to have your own sudo files in /etc/sudoers.d.






share|improve this answer






















  • This might just be what I'm looking for. I will have to put it to test and see.
    – izack
    Oct 3 '17 at 8:45










  • This was a great input. Thank you so much. Luckily I discovered the dangers of editing that file before actually doing it. For future visitors, you MUST use the 'visudo' tool to edit, and be careful not to change the owner of the file or you risk lockout.
    – izack
    Oct 4 '17 at 7:24














up vote
6
down vote



accepted










you can tell sudo to skip password for some command.



e.g. in /etc/sudoers



archemar ALL = (www-data) NOPASSWD: /bin/rm -rf /var/www/log/upload.*


this allow me to use



sudo -u www-data /bin/rm -rf /var/www/log/upload.*


as archemar without password.



Note that



sudo -u www-data rm -rf /var/www/log/upload.*


won't work (will ask a password) as rm differ from /bin/rm.



Be sure to edit /etc/sudoers using visudo command.



Once you've reach advanced level, you might whish to have your own sudo files in /etc/sudoers.d.






share|improve this answer






















  • This might just be what I'm looking for. I will have to put it to test and see.
    – izack
    Oct 3 '17 at 8:45










  • This was a great input. Thank you so much. Luckily I discovered the dangers of editing that file before actually doing it. For future visitors, you MUST use the 'visudo' tool to edit, and be careful not to change the owner of the file or you risk lockout.
    – izack
    Oct 4 '17 at 7:24












up vote
6
down vote



accepted







up vote
6
down vote



accepted






you can tell sudo to skip password for some command.



e.g. in /etc/sudoers



archemar ALL = (www-data) NOPASSWD: /bin/rm -rf /var/www/log/upload.*


this allow me to use



sudo -u www-data /bin/rm -rf /var/www/log/upload.*


as archemar without password.



Note that



sudo -u www-data rm -rf /var/www/log/upload.*


won't work (will ask a password) as rm differ from /bin/rm.



Be sure to edit /etc/sudoers using visudo command.



Once you've reach advanced level, you might whish to have your own sudo files in /etc/sudoers.d.






share|improve this answer














you can tell sudo to skip password for some command.



e.g. in /etc/sudoers



archemar ALL = (www-data) NOPASSWD: /bin/rm -rf /var/www/log/upload.*


this allow me to use



sudo -u www-data /bin/rm -rf /var/www/log/upload.*


as archemar without password.



Note that



sudo -u www-data rm -rf /var/www/log/upload.*


won't work (will ask a password) as rm differ from /bin/rm.



Be sure to edit /etc/sudoers using visudo command.



Once you've reach advanced level, you might whish to have your own sudo files in /etc/sudoers.d.







share|improve this answer














share|improve this answer



share|improve this answer








edited Oct 4 '17 at 7:27

























answered Oct 3 '17 at 8:31









Archemar

19.1k93366




19.1k93366











  • This might just be what I'm looking for. I will have to put it to test and see.
    – izack
    Oct 3 '17 at 8:45










  • This was a great input. Thank you so much. Luckily I discovered the dangers of editing that file before actually doing it. For future visitors, you MUST use the 'visudo' tool to edit, and be careful not to change the owner of the file or you risk lockout.
    – izack
    Oct 4 '17 at 7:24
















  • This might just be what I'm looking for. I will have to put it to test and see.
    – izack
    Oct 3 '17 at 8:45










  • This was a great input. Thank you so much. Luckily I discovered the dangers of editing that file before actually doing it. For future visitors, you MUST use the 'visudo' tool to edit, and be careful not to change the owner of the file or you risk lockout.
    – izack
    Oct 4 '17 at 7:24















This might just be what I'm looking for. I will have to put it to test and see.
– izack
Oct 3 '17 at 8:45




This might just be what I'm looking for. I will have to put it to test and see.
– izack
Oct 3 '17 at 8:45












This was a great input. Thank you so much. Luckily I discovered the dangers of editing that file before actually doing it. For future visitors, you MUST use the 'visudo' tool to edit, and be careful not to change the owner of the file or you risk lockout.
– izack
Oct 4 '17 at 7:24




This was a great input. Thank you so much. Luckily I discovered the dangers of editing that file before actually doing it. For future visitors, you MUST use the 'visudo' tool to edit, and be careful not to change the owner of the file or you risk lockout.
– izack
Oct 4 '17 at 7:24












up vote
0
down vote













The most simple way is to provide password from stdin if your sudo supports that (-S key)



ssh -t admin@remotehost "echo <yourpassword> |sudo -S <yourcommand>"





share|improve this answer
















  • 1




    My sudo does support the -S key. Good to know about this. I will keep this as an alternative. because generally I prefer avoiding to type my root password at all. But thanks for the input
    – izack
    Oct 3 '17 at 8:41






  • 1




    This is bad because the password will be shown in many places (on screen, in process list, in history files)
    – Patrick Mevzek
    Oct 8 '17 at 1:12














up vote
0
down vote













The most simple way is to provide password from stdin if your sudo supports that (-S key)



ssh -t admin@remotehost "echo <yourpassword> |sudo -S <yourcommand>"





share|improve this answer
















  • 1




    My sudo does support the -S key. Good to know about this. I will keep this as an alternative. because generally I prefer avoiding to type my root password at all. But thanks for the input
    – izack
    Oct 3 '17 at 8:41






  • 1




    This is bad because the password will be shown in many places (on screen, in process list, in history files)
    – Patrick Mevzek
    Oct 8 '17 at 1:12












up vote
0
down vote










up vote
0
down vote









The most simple way is to provide password from stdin if your sudo supports that (-S key)



ssh -t admin@remotehost "echo <yourpassword> |sudo -S <yourcommand>"





share|improve this answer












The most simple way is to provide password from stdin if your sudo supports that (-S key)



ssh -t admin@remotehost "echo <yourpassword> |sudo -S <yourcommand>"






share|improve this answer












share|improve this answer



share|improve this answer










answered Oct 3 '17 at 8:26









user1700494

1,650311




1,650311







  • 1




    My sudo does support the -S key. Good to know about this. I will keep this as an alternative. because generally I prefer avoiding to type my root password at all. But thanks for the input
    – izack
    Oct 3 '17 at 8:41






  • 1




    This is bad because the password will be shown in many places (on screen, in process list, in history files)
    – Patrick Mevzek
    Oct 8 '17 at 1:12












  • 1




    My sudo does support the -S key. Good to know about this. I will keep this as an alternative. because generally I prefer avoiding to type my root password at all. But thanks for the input
    – izack
    Oct 3 '17 at 8:41






  • 1




    This is bad because the password will be shown in many places (on screen, in process list, in history files)
    – Patrick Mevzek
    Oct 8 '17 at 1:12







1




1




My sudo does support the -S key. Good to know about this. I will keep this as an alternative. because generally I prefer avoiding to type my root password at all. But thanks for the input
– izack
Oct 3 '17 at 8:41




My sudo does support the -S key. Good to know about this. I will keep this as an alternative. because generally I prefer avoiding to type my root password at all. But thanks for the input
– izack
Oct 3 '17 at 8:41




1




1




This is bad because the password will be shown in many places (on screen, in process list, in history files)
– Patrick Mevzek
Oct 8 '17 at 1:12




This is bad because the password will be shown in many places (on screen, in process list, in history files)
– Patrick Mevzek
Oct 8 '17 at 1:12










up vote
0
down vote













To add to Archemar's answer, sudo asks for the password of the user running sudo, not the user the command will be run as. You say that the 'admin' and 'root' accounts are 'linked' and share the same password. If you have come to this conclusion based on sudo accepting the password for the 'admin' account (and the password sudo accepts changing when the password for 'admin' is changed), this is normal behaviour for sudo.






share|improve this answer




















  • Yes, I came to this conclusion based on sudo accepting the same password for both admin and root user. I never changed the password since I initially set it and it was through an GUI so this link is only simulated by setting the password on both user accounts. I think this was done to allow the installation of packages without implicitly inheriting root permission
    – izack
    Oct 9 '17 at 14:17















up vote
0
down vote













To add to Archemar's answer, sudo asks for the password of the user running sudo, not the user the command will be run as. You say that the 'admin' and 'root' accounts are 'linked' and share the same password. If you have come to this conclusion based on sudo accepting the password for the 'admin' account (and the password sudo accepts changing when the password for 'admin' is changed), this is normal behaviour for sudo.






share|improve this answer




















  • Yes, I came to this conclusion based on sudo accepting the same password for both admin and root user. I never changed the password since I initially set it and it was through an GUI so this link is only simulated by setting the password on both user accounts. I think this was done to allow the installation of packages without implicitly inheriting root permission
    – izack
    Oct 9 '17 at 14:17













up vote
0
down vote










up vote
0
down vote









To add to Archemar's answer, sudo asks for the password of the user running sudo, not the user the command will be run as. You say that the 'admin' and 'root' accounts are 'linked' and share the same password. If you have come to this conclusion based on sudo accepting the password for the 'admin' account (and the password sudo accepts changing when the password for 'admin' is changed), this is normal behaviour for sudo.






share|improve this answer












To add to Archemar's answer, sudo asks for the password of the user running sudo, not the user the command will be run as. You say that the 'admin' and 'root' accounts are 'linked' and share the same password. If you have come to this conclusion based on sudo accepting the password for the 'admin' account (and the password sudo accepts changing when the password for 'admin' is changed), this is normal behaviour for sudo.







share|improve this answer












share|improve this answer



share|improve this answer










answered Oct 8 '17 at 8:07









Aaron

638




638











  • Yes, I came to this conclusion based on sudo accepting the same password for both admin and root user. I never changed the password since I initially set it and it was through an GUI so this link is only simulated by setting the password on both user accounts. I think this was done to allow the installation of packages without implicitly inheriting root permission
    – izack
    Oct 9 '17 at 14:17

















  • Yes, I came to this conclusion based on sudo accepting the same password for both admin and root user. I never changed the password since I initially set it and it was through an GUI so this link is only simulated by setting the password on both user accounts. I think this was done to allow the installation of packages without implicitly inheriting root permission
    – izack
    Oct 9 '17 at 14:17
















Yes, I came to this conclusion based on sudo accepting the same password for both admin and root user. I never changed the password since I initially set it and it was through an GUI so this link is only simulated by setting the password on both user accounts. I think this was done to allow the installation of packages without implicitly inheriting root permission
– izack
Oct 9 '17 at 14:17





Yes, I came to this conclusion based on sudo accepting the same password for both admin and root user. I never changed the password since I initially set it and it was through an GUI so this link is only simulated by setting the password on both user accounts. I think this was done to allow the installation of packages without implicitly inheriting root permission
– izack
Oct 9 '17 at 14:17











up vote
0
down vote













If the accounts are linked somehow it makes no sense to allow ssh for one and not the other. Here is what I would do instead:



  • enable ssh for root, allowing only access with ssh keys and not with a password

  • create a new key that will be used only for your specific command

  • put the key and the command you need to execute in authorized_keys of root, so that as soon as a connection is made with this key, the command is launched.

This is secure because in that way the caller can not have a shell nor execute any other command (even if he provides one).



You can see an example here: https://stackoverflow.com/questions/402615/how-to-restrict-ssh-users-to-a-predefined-set-of-commands-after-login with the command= syntax. You can also do the same thing by embedding the command in the certificate if you use certificates instead of keys, or do it globally using the configuration option ForceCommand



See http://larstobi.blogspot.com/2011/01/restrict-ssh-access-to-one-command-but.html for another example (which illustrates that you need to take into account parameters of your command)






share|improve this answer






















  • Hi Patrick. I did some digging and I now believe the accounts aren't linked per-se but rather just share the same password. Changing 1, causes the other to change. But yes, it does not make sense when both share the same password, as getting hold of admin password will let you act as root anyway. Your solution sounds interesting. How do I setup a key that will be used only for specific command or commands? Any example or link to resource will be greatly appreciated.
    – izack
    Oct 9 '17 at 14:11










  • I edited my answer with more info. Your case about one password for two accounts is strange. Are you sure they are not the same account? The name does not count, you have to compare their UID. Launch command id under both account and compare the result at beginning (uid=...)
    – Patrick Mevzek
    Oct 9 '17 at 14:34










  • Thanks for the resource. I checked the uid and they do not match. So definitely no the same account
    – izack
    Oct 10 '17 at 8:55














up vote
0
down vote













If the accounts are linked somehow it makes no sense to allow ssh for one and not the other. Here is what I would do instead:



  • enable ssh for root, allowing only access with ssh keys and not with a password

  • create a new key that will be used only for your specific command

  • put the key and the command you need to execute in authorized_keys of root, so that as soon as a connection is made with this key, the command is launched.

This is secure because in that way the caller can not have a shell nor execute any other command (even if he provides one).



You can see an example here: https://stackoverflow.com/questions/402615/how-to-restrict-ssh-users-to-a-predefined-set-of-commands-after-login with the command= syntax. You can also do the same thing by embedding the command in the certificate if you use certificates instead of keys, or do it globally using the configuration option ForceCommand



See http://larstobi.blogspot.com/2011/01/restrict-ssh-access-to-one-command-but.html for another example (which illustrates that you need to take into account parameters of your command)






share|improve this answer






















  • Hi Patrick. I did some digging and I now believe the accounts aren't linked per-se but rather just share the same password. Changing 1, causes the other to change. But yes, it does not make sense when both share the same password, as getting hold of admin password will let you act as root anyway. Your solution sounds interesting. How do I setup a key that will be used only for specific command or commands? Any example or link to resource will be greatly appreciated.
    – izack
    Oct 9 '17 at 14:11










  • I edited my answer with more info. Your case about one password for two accounts is strange. Are you sure they are not the same account? The name does not count, you have to compare their UID. Launch command id under both account and compare the result at beginning (uid=...)
    – Patrick Mevzek
    Oct 9 '17 at 14:34










  • Thanks for the resource. I checked the uid and they do not match. So definitely no the same account
    – izack
    Oct 10 '17 at 8:55












up vote
0
down vote










up vote
0
down vote









If the accounts are linked somehow it makes no sense to allow ssh for one and not the other. Here is what I would do instead:



  • enable ssh for root, allowing only access with ssh keys and not with a password

  • create a new key that will be used only for your specific command

  • put the key and the command you need to execute in authorized_keys of root, so that as soon as a connection is made with this key, the command is launched.

This is secure because in that way the caller can not have a shell nor execute any other command (even if he provides one).



You can see an example here: https://stackoverflow.com/questions/402615/how-to-restrict-ssh-users-to-a-predefined-set-of-commands-after-login with the command= syntax. You can also do the same thing by embedding the command in the certificate if you use certificates instead of keys, or do it globally using the configuration option ForceCommand



See http://larstobi.blogspot.com/2011/01/restrict-ssh-access-to-one-command-but.html for another example (which illustrates that you need to take into account parameters of your command)






share|improve this answer














If the accounts are linked somehow it makes no sense to allow ssh for one and not the other. Here is what I would do instead:



  • enable ssh for root, allowing only access with ssh keys and not with a password

  • create a new key that will be used only for your specific command

  • put the key and the command you need to execute in authorized_keys of root, so that as soon as a connection is made with this key, the command is launched.

This is secure because in that way the caller can not have a shell nor execute any other command (even if he provides one).



You can see an example here: https://stackoverflow.com/questions/402615/how-to-restrict-ssh-users-to-a-predefined-set-of-commands-after-login with the command= syntax. You can also do the same thing by embedding the command in the certificate if you use certificates instead of keys, or do it globally using the configuration option ForceCommand



See http://larstobi.blogspot.com/2011/01/restrict-ssh-access-to-one-command-but.html for another example (which illustrates that you need to take into account parameters of your command)







share|improve this answer














share|improve this answer



share|improve this answer








edited Oct 9 '17 at 14:36

























answered Oct 8 '17 at 1:11









Patrick Mevzek

2,0481721




2,0481721











  • Hi Patrick. I did some digging and I now believe the accounts aren't linked per-se but rather just share the same password. Changing 1, causes the other to change. But yes, it does not make sense when both share the same password, as getting hold of admin password will let you act as root anyway. Your solution sounds interesting. How do I setup a key that will be used only for specific command or commands? Any example or link to resource will be greatly appreciated.
    – izack
    Oct 9 '17 at 14:11










  • I edited my answer with more info. Your case about one password for two accounts is strange. Are you sure they are not the same account? The name does not count, you have to compare their UID. Launch command id under both account and compare the result at beginning (uid=...)
    – Patrick Mevzek
    Oct 9 '17 at 14:34










  • Thanks for the resource. I checked the uid and they do not match. So definitely no the same account
    – izack
    Oct 10 '17 at 8:55
















  • Hi Patrick. I did some digging and I now believe the accounts aren't linked per-se but rather just share the same password. Changing 1, causes the other to change. But yes, it does not make sense when both share the same password, as getting hold of admin password will let you act as root anyway. Your solution sounds interesting. How do I setup a key that will be used only for specific command or commands? Any example or link to resource will be greatly appreciated.
    – izack
    Oct 9 '17 at 14:11










  • I edited my answer with more info. Your case about one password for two accounts is strange. Are you sure they are not the same account? The name does not count, you have to compare their UID. Launch command id under both account and compare the result at beginning (uid=...)
    – Patrick Mevzek
    Oct 9 '17 at 14:34










  • Thanks for the resource. I checked the uid and they do not match. So definitely no the same account
    – izack
    Oct 10 '17 at 8:55















Hi Patrick. I did some digging and I now believe the accounts aren't linked per-se but rather just share the same password. Changing 1, causes the other to change. But yes, it does not make sense when both share the same password, as getting hold of admin password will let you act as root anyway. Your solution sounds interesting. How do I setup a key that will be used only for specific command or commands? Any example or link to resource will be greatly appreciated.
– izack
Oct 9 '17 at 14:11




Hi Patrick. I did some digging and I now believe the accounts aren't linked per-se but rather just share the same password. Changing 1, causes the other to change. But yes, it does not make sense when both share the same password, as getting hold of admin password will let you act as root anyway. Your solution sounds interesting. How do I setup a key that will be used only for specific command or commands? Any example or link to resource will be greatly appreciated.
– izack
Oct 9 '17 at 14:11












I edited my answer with more info. Your case about one password for two accounts is strange. Are you sure they are not the same account? The name does not count, you have to compare their UID. Launch command id under both account and compare the result at beginning (uid=...)
– Patrick Mevzek
Oct 9 '17 at 14:34




I edited my answer with more info. Your case about one password for two accounts is strange. Are you sure they are not the same account? The name does not count, you have to compare their UID. Launch command id under both account and compare the result at beginning (uid=...)
– Patrick Mevzek
Oct 9 '17 at 14:34












Thanks for the resource. I checked the uid and they do not match. So definitely no the same account
– izack
Oct 10 '17 at 8:55




Thanks for the resource. I checked the uid and they do not match. So definitely no the same account
– izack
Oct 10 '17 at 8:55

















 

draft saved


draft discarded















































 


draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f395776%2fhow-to-remote-execute-ssh-command-a-sudo-command-without-password%23new-answer', 'question_page');

);

Post as a guest













































































Popular posts from this blog

How to check contact read email or not when send email to Individual?

Displaying single band from multi-band raster using QGIS

How many registers does an x86_64 CPU actually have?