180

我有一个脚本,它使用 sudo 在远程服务器上通过 SSH 运行另一个脚本。但是,当我输入密码时,它会显示在终端上。(否则它工作正常)

ssh user@server "sudo script"

执行此操作的正确方法是什么,以便我可以通过 SSH 键入 sudo 的密码,而不会在我键入时出现密码?

4

8 回答 8

279

另一种方法是使用-tswitch 来ssh

ssh -t user@server "sudo script"

man ssh

 -t      Force pseudo-tty allocation.  This can be used to execute arbi-
         trary screen-based programs on a remote machine, which can be
         very useful, e.g., when implementing menu services.  Multiple -t
         options force tty allocation, even if ssh has no local tty.
于 2012-04-25T09:18:26.273 回答
36

I was able to fully automate it with the following command:

echo pass | ssh -tt user@server "sudo script"

Advantages:

  • no password prompt
  • won't show password in remote machine bash history

Regarding security: as Kurt said, running this command will show your password on your local bash history, and it's better to save the password in a different file or save the all command in a .sh file and execute it. NOTE: The file need to have the correct permissions so that only the allowed users can access it.

于 2018-11-07T12:25:52.870 回答
12

Sudo over SSH passing a password, no tty required:

You can use sudo over ssh without forcing ssh to have a pseudo-tty (without the use of the ssh "-t" switch) by telling sudo not to require an interactive password and to just grab the password off stdin. You do this by using the "-S" switch on sudo. This makes sudo listen for the password on stdin, and stop listening when it sees a newline.

Example 1 - Simple Remote Command

In this example, we send a simple whoami command:

$ ssh user@server cat \| sudo --prompt="" -S -- whoami << EOF
> <remote_sudo_password>
root

We're telling sudo not to issue a prompt, and to take its input from stdin. This makes the sudo password passing completely silent so the only response you get back is the output from whoami.

This technique has the benefit of allowing you to run programs through sudo over ssh that themselves require stdin input. This is because sudo is consuming the password over the first line of stdin, then letting whatever program it runs continue to grab stdin.

Example 2 - Remote Command That Requires Its Own stdin

In the following example, the remote command "cat" is executed through sudo, and we are providing some extra lines through stdin for the remote cat to display.

$ ssh user@server cat \| sudo --prompt="" -S -- "cat" << EOF
> <remote_sudo_password>
> Extra line1
> Extra line2
> EOF
Extra line1
Extra line2

The output demonstrates that the <remote_sudo_password> line is being consumed by sudo, and that the remotely executed cat is then displaying the extra lines.

An example of where this would be beneficial is if you want to use ssh to pass a password to a privileged command without using the command line. Say, if you want to mount a remote encrypted container over ssh.

Example 3 - Mounting a Remote VeraCrypt Container

In this example script, we are remotely mounting a VeraCrypt container through sudo without any extra prompting text:

#!/bin/sh
ssh user@server cat \| sudo --prompt="" -S -- "veracrypt --non-interactive --stdin --keyfiles=/path/to/test.key /path/to/test.img /mnt/mountpoint" << EOF
SudoPassword
VeraCryptContainerPassword
EOF

It should be noted that in all the command-line examples above (everything except the script) the << EOF construct on the command line will cause the everything typed, including the password, to be recorded in the local machine's .bash_history. It is therefore highly recommended that for real-world use you either use do it entirely through a script, like the veracrypt example above, or, if on the command line then put the password in a file and redirect that file through ssh.

Example 1a - Example 1 Without Local Command-Line Password

The first example would thus become:

$ cat text_file_with_sudo_password | ssh user@server cat \| sudo --prompt="" -S -- whoami
root

Example 2a - Example 2 Without Local Command-Line Password

and the second example would become:

$ cat text_file_with_sudo_password - << EOF | ssh va1der.net cat \| sudo --prompt="" -S -- cat
> Extra line1
> Extra line2
> EOF
Extra line1
Extra line2

Putting the password in a separate file is unnecessary if you are putting the whole thing in a script, since the contents of scripts do not end up in your history. It still may be useful, though, in case you want to allow users who should not see the password to execute the script.

于 2018-11-19T02:18:15.167 回答
7

Assuming you want no password prompt:

ssh $HOST 'echo $PASSWORD | sudo -S $COMMMAND'

Example

ssh me@localhost 'echo secret | sudo -S echo hi' # outputs 'hi'
于 2018-01-28T19:46:08.790 回答
4

最好的方法是ssh -t user@server "sudo <scriptname>",例如ssh -t user@server "sudo reboot"。它将首先提示用户输入密码,然后是 root(因为我们正在以 root 权限运行脚本或命令。

我希望它可以帮助并消除您的疑问。

于 2016-12-01T15:20:09.017 回答
1

NOPASS在您的目标机器上的配置是解决方案。继续阅读http://maestric.com/doc/unix/ubuntu_sudo_without_password

于 2012-04-25T06:25:40.920 回答
0
echo $VAR_REMOTEROOTPASS | ssh -tt -i $PATH_TO_KEY/id_mykey $VAR_REMOTEUSER@$varRemoteHost 
echo \"$varCommand\" | sudo bash
于 2019-09-13T22:38:28.267 回答
0

confirming that the answer of @ofirule is working like a charm. I try ot even with sshpass & it works. This is how to use it with sshpass:

echo $pass | sshpass -p $pass ssh -tt cloud_user@$ip "sudo su -"

you will find yourself in the root shell directly

于 2021-06-18T03:41:45.283 回答