Shell – How to run sudo commands remotely via ssh -t

shell-scriptsshsudo

I have a script that logs into a remote host via ssh -t and uses sudo service foo restart.

The requirement is to avoid the prompt for a password on the remote host. The remote host authenticates via SSH certificate. The sudoers file on the remote host allows that user to execute the service command with NOPASSWD.

However, during my tests, I'm prompted for a password and this is unacceptable. If I run this manually without the -t flag, it works. However the -t flag throws everything off.

Is there a way around this?

Best Answer

Maybe disabling the requiretty option in sudoers and running ssh without the -t flag (or with -T) works.

Add something like this to sudoers (untested):

Defaults:{your ssh user} !requiretty

Combine that with the NOPASSWD you're already using and you should be able to run the sudo command without a pseudo-tty allocated.

You could also change requiretty for the command instead of the user.

Related Solutions

Ssh – Why ssh-copy-id prompts for the local user password three times

ssh-copy-id is just a wrapper shell script performing these steps:

Find the public key(s), this includes talking to the SSH agent for which keys it has available.
log in to the remote server like any other SSH client
copy one or more public keys to the remote server in a file .ssh/authorized_keys, including creating the directory if it does not exist with the right permissions.

You can see for yourself what it is doing by reading the /usr/bin/ssh-copy-id. Copy over the file, add some debugging to the code to see what happens and what the values of variables are during the execution.

Ssh – Use sudo with ssh command and capturing stdout

You can pass the -S option[0] to sudo, so it can accept the password from stdin instead of requiring a tty.

This will probably cause your password to echo to the terminal, so try turning echo off yourself:

$ stty -echo; ssh user@remote "sudo cat /root/file.tar | gzip" > root-file.tar.gz
[sudo] password for user:
$

[0] From the manpage: The ‑S (stdin) option causes sudo to read the password from the standard input instead of the terminal device. The password must be followed by a newline character.

Best Answer

Related Solutions

Ssh – Why ssh-copy-id prompts for the local user password three times

Ssh – Use sudo with ssh command and capturing stdout

Related Question