Re: [CentOS] SSH Remote Execution - su?

2010-03-04 Thread Todd Rinaldo 

On Mar 4, 2010, at 10:58 AM, Tim Nelson wrote:

> - "Les Mikesell"  wrote:
>> 
>> What's the problem with key-based ssh directly as root?
>> 
> 
> Not a thing, except I'd have to login and update that many systems before I'm 
> able to get any real work done. Maybe I'll use the presented expect scripting 
> (very similar to my test run) to get the appropriate keys installed, then 
> proceed using puppet et all for the rest...
> 
> --Tim

perl Net::OpenSSH also would solve this problem. We successfully got it working 
for our needs. 

my ($in, $out, $err, $pid) = $ssh->open3({tty => 1}, $cmd, @args) or die ...

You may get a weird warning message from SSH when using sudo. CPAN RT #52687 
documents the reason and how to fix it. If you are interested, let me know and 
I can give you more details.


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SSH Remote Execution - su?

2010-03-04 Thread Les Mikesell 
On 3/4/2010 10:58 AM, Tim Nelson wrote:
>>
>> What's the problem with key-based ssh directly as root?
>>
>
> Not a thing, except I'd have to login and update that many systems before I'm 
> able to get any real work done. Maybe I'll use the presented expect scripting 
> (very similar to my test run) to get the appropriate keys installed, then 
> proceed using puppet et all for the rest...
>

If you have the ssh-copy-id program that uses a one-time password based 
command execution to install the remote key, you could probably run it 
with expect.  Personally I think it is better to include the key in all 
new installs that need central control instead of having the passwords 
all the same.

-- 
   Les Mikesell
lesmikes...@gmail.com
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SSH Remote Execution - su?

2010-03-04 Thread Tim Nelson 
- "Les Mikesell"  wrote:
> 
> What's the problem with key-based ssh directly as root?
> 

Not a thing, except I'd have to login and update that many systems before I'm 
able to get any real work done. Maybe I'll use the presented expect scripting 
(very similar to my test run) to get the appropriate keys installed, then 
proceed using puppet et all for the rest...

--Tim
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SSH Remote Execution - su?

2010-03-04 Thread Les Mikesell 
On 3/4/2010 10:16 AM, Chris Murphy wrote:
> I used to manage ~150 Linux desktop and would have to do one off scripts
> to make updates.  Fortunately I found Puppet and now I never have to do
> things like this any more but here's the Bash/Expect combo that I used
> to use:
>
> chris$ ./mass_copy.sh:
>
> #!/bin/sh
> export ROOTPW='secret1'
> export ADMINPW='secret2'
>
> HIVES="machine1 machine2 machine3"
> for machine in $HIVES; do
>  /path/to/script/get_root.exp $machine
> done
>
> chris$ cat get_root.exp
> #!/usr/bin/expect -f
>
> set timeout 40
>
> spawn ssh [lrange $argv 0 0]
> expect "ad...@$argv's password:"
> send "$env(ADMINPW)\n"
> expect "\\$"
> send "exec su -\n"
> expect "Password: "
> send "$env(ROOTPW)\n"
> expect "#"
> send "/mnt/it_updates/update_something.sh\n"
> interact
> expect "\\#"
> send "exit\n"
>
> This was handed down to me by the sysadmin who was here before me and it
> worked great except sometimes it would not log out of each machine and I
> would have to babysit it and press CTRL-D after each run.  It can easily
> be expanded on to suit your needs, and maybe someone in the mailing list
> can refine it, but if this is your job and you think there is even the
> remotest possibility that you would have to do this again, seriously
> look into Puppet, Func, mCollective, really anything is easier then
> doing it this way.

What's the problem with key-based ssh directly as root?

-- 
   Les Mikesell
lesmikes...@gmail.com



___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SSH Remote Execution - su?

2010-03-04 Thread Chris Murphy 
I used to manage ~150 Linux desktop and would have to do one off scripts 
to make updates.  Fortunately I found Puppet and now I never have to do 
things like this any more but here's the Bash/Expect combo that I used 
to use:


chris$ ./mass_copy.sh:

#!/bin/sh
export ROOTPW='secret1'
export ADMINPW='secret2'

HIVES="machine1 machine2 machine3"
for machine in $HIVES; do
/path/to/script/get_root.exp $machine
done

chris$ cat get_root.exp
#!/usr/bin/expect -f

set timeout 40

spawn ssh [lrange $argv 0 0]
expect "ad...@$argv's password:"
send "$env(ADMINPW)\n"
expect "\\$"
send "exec su -\n"
expect "Password: "
send "$env(ROOTPW)\n"
expect "#"
send "/mnt/it_updates/update_something.sh\n"
interact
expect "\\#"
send "exit\n"

This was handed down to me by the sysadmin who was here before me and it 
worked great except sometimes it would not log out of each machine and I 
would have to babysit it and press CTRL-D after each run.  It can easily 
be expanded on to suit your needs, and maybe someone in the mailing list 
can refine it, but if this is your job and you think there is even the 
remotest possibility that you would have to do this again, seriously 
look into Puppet, Func, mCollective, really anything is easier then 
doing it this way.


Chris

On 3/4/10 12:48 AM, Chris Geldenhuis wrote:

Tim Nelson wrote:
   


Tim Nelson
Systems/Network Support
Rockbochs Inc.
(218)727-4332 x105

- "Jeremy Rosengren"  wrote:
 

On Wed, Mar 3, 2010 at 3:36 PM, James Hogarth
   

mailto:james.hoga...@gmail.com>>  wrote:
 
   

 >  On 3 March 2010 21:20, Tim Nelsonmailto:tnel...@rockbochs.com>>  wrote:
 >  >  Greetings All-
 >  >
 >  >  I'm about to embark on some remote management testing and need
 a way to login to a remote system running CentOS 4.x/5.x via SSH,
 su to root (using a password), then execute a command.
 >  >
 >  >  I currently login to the boxes using key based SSH like this:
 >  >
 >  >  ssh -i ~/remote_key ad...@$remoteip
 >  >
 >  >  Then, I SU to root. However, if I try to do this automatically
 like this:
 >  >
 >  >  ssh -i ~/remote_key ad...@$remoteip 'su -l'
 >  >
 >  >  I'm getting:
 >  >
 >  >  "standard in must be a tty"
 >  >
 >  >  So, how am I able to remote login using SSH, su to root, then
 execute a command as root?
 >  >
 >  >  All comments and suggestions welcome. Thanks!
 >  >
 >  >  --Tim
 >  >  ___
 >  >  CentOS mailing list
 >  >  CentOS@centos.org
 >  >  http://lists.centos.org/mailman/listinfo/centos
 >  >
 >
 >
 Best off configuring sudo for that user (with no password) and make
 >  sure that user has !requiretty in the sudoers configuration.
 >
 >  James
 >
 >  ___
 >  CentOS mailing list
 >  CentOS@centos.org
 >  http://lists.centos.org/mailman/listinfo/centos


 
   

Does "ssh -t" help?

YESS. It prevents the tty error from showing up and asks me for a
password as expected. BUT, how do I then automate the entering of the
password?

John Kennedy mentioned using expect which I've used before but found
it to be 'finnicky'. I may have to look at it again...

Changing settings such as sudo configuration or ssh config may be
daunting since I have a large number of systems(150+) that would need
to be modified. :-/

--Tim


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

 

I found that Python expect is far more logical and understandable for
complex tasks than the expect command.

ChrisG
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


   
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SSH Remote Execution - su?

2010-03-04 Thread John Doe 
From: Tim Nelson 
> I'm about to embark on some remote management testing and need a way to login 
> to 
> a remote system running CentOS 4.x/5.x via SSH, su to root (using a 
> password), 
> then execute a command.

Maybe try /etc/securetty

JD


  
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SSH Remote Execution - su?

2010-03-03 Thread Chris Geldenhuis 
Tim Nelson wrote:
>
>
> Tim Nelson
> Systems/Network Support
> Rockbochs Inc.
> (218)727-4332 x105
>
> - "Jeremy Rosengren"  wrote:
> >
> > On Wed, Mar 3, 2010 at 3:36 PM, James Hogarth 
> mailto:james.hoga...@gmail.com>> wrote:
> >
>
> > On 3 March 2010 21:20, Tim Nelson  > wrote:
> > > Greetings All-
> > >
> > > I'm about to embark on some remote management testing and need
> a way to login to a remote system running CentOS 4.x/5.x via SSH,
> su to root (using a password), then execute a command.
> > >
> > > I currently login to the boxes using key based SSH like this:
> > >
> > > ssh -i ~/remote_key ad...@$remoteip
> > >
> > > Then, I SU to root. However, if I try to do this automatically
> like this:
> > >
> > > ssh -i ~/remote_key ad...@$remoteip 'su -l'
> > >
> > > I'm getting:
> > >
> > > "standard in must be a tty"
> > >
> > > So, how am I able to remote login using SSH, su to root, then
> execute a command as root?
> > >
> > > All comments and suggestions welcome. Thanks!
> > >
> > > --Tim
> > > ___
> > > CentOS mailing list
> > > CentOS@centos.org 
> > > http://lists.centos.org/mailman/listinfo/centos
> > >
> >
> >
> Best off configuring sudo for that user (with no password) and make
> > sure that user has !requiretty in the sudoers configuration.
> >
> > James
> >
> > ___
> > CentOS mailing list
> > CentOS@centos.org 
> > http://lists.centos.org/mailman/listinfo/centos
>
>
> >
> Does "ssh -t" help?
>
> YESS. It prevents the tty error from showing up and asks me for a 
> password as expected. BUT, how do I then automate the entering of the 
> password?
>
> John Kennedy mentioned using expect which I've used before but found 
> it to be 'finnicky'. I may have to look at it again...
>
> Changing settings such as sudo configuration or ssh config may be 
> daunting since I have a large number of systems(150+) that would need 
> to be modified. :-/
>
> --Tim
> 
>
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>   
I found that Python expect is far more logical and understandable for 
complex tasks than the expect command.

ChrisG
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SSH Remote Execution - su?

2010-03-03 Thread nate 
Tim Nelson wrote:
> YESS. It prevents the tty error from showing up and asks me for a password
> as expected. BUT, how do I then automate the entering of the password?
>
> John Kennedy mentioned using expect which I've used before but found it to
> be 'finnicky'. I may have to look at it again...
>
> Changing settings such as sudo configuration or ssh config may be daunting
> since I have a large number of systems(150+) that would need to be modified.
> :-/

Just login as root with ssh keys?

If you needed to somehow block brute force cracking attacks against
the root account either globally disable password auth, or it appears
you can use the option "PermitRootLogin without-password" to restrict
remote root logins via SSH to keys only. I haven't tried this option
myself.

nate


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SSH Remote Execution - su?

2010-03-03 Thread Tim Nelson 



Tim Nelson 
Systems/Network Support 
Rockbochs Inc. 
(218)727-4332 x105 

- "Jeremy Rosengren"  wrote: 
> 

> On Wed, Mar 3, 2010 at 3:36 PM, James Hogarth < james.hoga...@gmail.com > 
> wrote: 
> 




> On 3 March 2010 21:20, Tim Nelson < tnel...@rockbochs.com > wrote: 
> > Greetings All- 
> > 
> > I'm about to embark on some remote management testing and need a way to 
> > login to a remote system running CentOS 4.x/5.x via SSH, su to root (using 
> > a password), then execute a command. 
> > 
> > I currently login to the boxes using key based SSH like this: 
> > 
> > ssh -i ~/remote_key ad...@$remoteip 
> > 
> > Then, I SU to root. However, if I try to do this automatically like this: 
> > 
> > ssh -i ~/remote_key ad...@$remoteip 'su -l' 
> > 
> > I'm getting: 
> > 
> > "standard in must be a tty" 
> > 
> > So, how am I able to remote login using SSH, su to root, then execute a 
> > command as root? 
> > 
> > All comments and suggestions welcome. Thanks! 
> > 
> > --Tim 
> > ___ 
> > CentOS mailing list 
> > CentOS@centos.org 
> > http://lists.centos.org/mailman/listinfo/centos 
> > 
> 
> Best off configuring sudo for that user (with no password) and make 
> sure that user has !requiretty in the sudoers configuration. 
> 
> James 
> 


> ___ 
> CentOS mailing list 
> CentOS@centos.org 
> http://lists.centos.org/mailman/listinfo/centos 

> 
Does "ssh -t" help? 

YESS. It prevents the tty error from showing up and asks me for a password as 
expected. BUT, how do I then automate the entering of the password? 

John Kennedy mentioned using expect which I've used before but found it to be 
'finnicky'. I may have to look at it again... 

Changing settings such as sudo configuration or ssh config may be daunting 
since I have a large number of systems(150+) that would need to be modified. 
:-/ 

--Tim 
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SSH Remote Execution - su?

2010-03-03 Thread Benjamin Franz 
Tim Nelson wrote:
> So, how am I able to remote login using SSH, su to root, then execute a 
> command as root?
>   
You would probably be better off setting up forced-commands-only only 
login for root.  and configuring the /root/.ssh/authorized_keys file 
with the command you want to execute.

-- 
Benjamin Franz
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SSH Remote Execution - su?

2010-03-03 Thread John Kennedy 
On Wednesday 03 March 2010 16:20:21 Tim Nelson wrote:
> Greetings All-
> 
> I'm about to embark on some remote management testing and need a way to
>  login to a remote system running CentOS 4.x/5.x via SSH, su to root (using
>  a password), then execute a command.
> 
> I currently login to the boxes using key based SSH like this:
> 
> ssh -i ~/remote_key ad...@$remoteip
> 
> Then, I SU to root. However, if I try to do this automatically like this:
> 
> ssh -i ~/remote_key ad...@$remoteip 'su -l'
> 
> I'm getting:
> 
> "standard in must be a tty"
> 
> So, how am I able to remote login using SSH, su to root, then execute a
>  command as root?
> 
> All comments and suggestions welcome. Thanks!
> 
> --Tim
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
> 
You could use an expect script to ssh to the box then su to root with the 
password. You can have the script ask for the password so it is not hard coded 
or used on the command line. Expect can allow you to interact with the shell 
once you have su'd.
I have used a combination of bash and expect scripting to get stats from 
multiple boxes and it works a treat.
If you need more details/help, let me know.
John
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SSH Remote Execution - su?

2010-03-03 Thread Jeremy Rosengren 
On Wed, Mar 3, 2010 at 3:36 PM, James Hogarth wrote:

> On 3 March 2010 21:20, Tim Nelson  wrote:
> > Greetings All-
> >
> > I'm about to embark on some remote management testing and need a way to
> login to a remote system running CentOS 4.x/5.x via SSH, su to root (using a
> password), then execute a command.
> >
> > I currently login to the boxes using key based SSH like this:
> >
> > ssh -i ~/remote_key ad...@$remoteip
> >
> > Then, I SU to root. However, if I try to do this automatically like this:
> >
> > ssh -i ~/remote_key ad...@$remoteip 'su -l'
> >
> > I'm getting:
> >
> > "standard in must be a tty"
> >
> > So, how am I able to remote login using SSH, su to root, then execute a
> command as root?
> >
> > All comments and suggestions welcome. Thanks!
> >
> > --Tim
> > ___
> > CentOS mailing list
> > CentOS@centos.org
> > http://lists.centos.org/mailman/listinfo/centos
> >
>
> Best off configuring sudo for that user (with no password) and make
> sure that user has !requiretty in the sudoers configuration.
>
> James
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>

Does "ssh -t" help?

-- j
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SSH Remote Execution - su?

2010-03-03 Thread James Hogarth 
On 3 March 2010 21:20, Tim Nelson  wrote:
> Greetings All-
>
> I'm about to embark on some remote management testing and need a way to login 
> to a remote system running CentOS 4.x/5.x via SSH, su to root (using a 
> password), then execute a command.
>
> I currently login to the boxes using key based SSH like this:
>
> ssh -i ~/remote_key ad...@$remoteip
>
> Then, I SU to root. However, if I try to do this automatically like this:
>
> ssh -i ~/remote_key ad...@$remoteip 'su -l'
>
> I'm getting:
>
> "standard in must be a tty"
>
> So, how am I able to remote login using SSH, su to root, then execute a 
> command as root?
>
> All comments and suggestions welcome. Thanks!
>
> --Tim
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>

Best off configuring sudo for that user (with no password) and make
sure that user has !requiretty in the sudoers configuration.

James
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] SSH Remote Execution - su?

2010-03-03 Thread Tim Nelson 
Greetings All-

I'm about to embark on some remote management testing and need a way to login 
to a remote system running CentOS 4.x/5.x via SSH, su to root (using a 
password), then execute a command.

I currently login to the boxes using key based SSH like this:

ssh -i ~/remote_key ad...@$remoteip

Then, I SU to root. However, if I try to do this automatically like this:

ssh -i ~/remote_key ad...@$remoteip 'su -l'

I'm getting:

"standard in must be a tty"

So, how am I able to remote login using SSH, su to root, then execute a command 
as root?

All comments and suggestions welcome. Thanks!

--Tim
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos