Ssh login as user and change to root, without sudo

sshsu

I have the following task:

the command has to be run as root on server remotely in bash script over ssh and the command output has to be fetched in variable.
logging over ssh as root is disabled.
sudo on server is disabled, so I have to use su.
EDIT: since I want to make it as automated as possible in bash, the password has to be stored inside command

I have Googled for days, but it seems that I cannot find a solution for this.

Solution proposed here: ssh to server and switch user and change a directory

    ssh -t username@hostname "sudo su - otheruser -c \"cd /path/to/directory && command\""

does not work because sudo is disabled on server:

Does anyone have a solution to this?

Best Answer

Perhaps somewhat off topic but this could be achieved with Python and the paramiko module:

#!/usr/bin/python2
import time
import paramiko

ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
ssh.connect('127.0.0.1', port=22, username='user', password='pass')

stdin, stdout, stderr = ssh.exec_command('su')
time.sleep(0.1) # some enviroment maybe need this.
stdin.write('root_password_goes_here\n')

[ add extra code here to execute a command ]

stdin.flush()
print (stdout.readlines())
ssh.close()

It should be noted that storing passwords in script generally is a bad idea from a security perspective. Make sure you have proper permissions set to the script (e.g. chmod 740)

Related Solutions

Ssh – Automated ssh login with passphrase

For automated logins you have to use keyless ssh keys as you would have to manually intervene at the startup and provide a pass-phrase and have to resupply it after an restart.

To secure such keys there are multiple solutions - see man sshd for more details:

Restrict the remote host for the key with the from= parameter, e.g:
```
from="*.example.com" ssh_key
```
this will only allow machines from example.com
Specify which command will be executed with the command= parameter, e.g:
```
command="some command" ssh_key
```
Use a dedicated user with an restricted shell or only with the necessary permissions, e.g. for backup the user can only run rsync with sudo.

SSH – Use SFTP with Sudo for Root Access and SSH Key Authentication

SFTP is a command access to file operations, with the restrictions from the account you use. You must use ssh for make more administrative operations, making impossible use sudo and SFTP at same time. If you need access to the entire disk without restriction using SFTP, do it using the root account. Anyway you can make a login with root on sftp and ssh at same time, of course, using two different sessions.

The security keys improve the security and make more easy the logging, not requiring keyboard input. Only helps to make login, you can had several passwords for every account user and had the same effect.

EDIT: I forgot: you can create another account with the same effect than root if you assign the user id to 0, but not had any sense, being dangerous in the same way. Could give some obfuscation if somebody try to login like root, but apart of that, not had much sense.

Best Answer

Related Solutions

Ssh – Automated ssh login with passphrase

SSH – Use SFTP with Sudo for Root Access and SSH Key Authentication

Related Question