How to Use sudo with SSH
Sometimes it’s necessary to use sudo with ssh. In general, this is a bad idea, however, the method below will keep the password safe and allow using it securely, i.e. not having it show up on the screen or in your shell history.
The procedure below works on any combination of macOS and Linux source and destination machines.
Setting up sudo on the Destination Computer
On macOS, a user with Administrator privileges is allowed to use sudo with their user password. So, no setup is necessary.
On Linux, the user must be in sudo group. After installing some Linux flavors, the user is already in the sudo group. However, when using Debian the root user is enabled and the regular user isn't in the sudo group. Let's fix this:
$ su -
Password:
# adduser $USER sudo
# exit
$ exit
(Login again here) You need to exit the $USER shell and login again to pick up the sudo group in your shell.
The sudo password is the $USER password (not the root password). Let's store it in a safe place. Create the file ~/.ssh/pass.txt. Note: the~/.ssh directory should already have permissions of 700, so it is secure.
$ vi ~/.ssh/pass.txt
(enter the password here)
$ chmod 600 ~/.ssh/pass.txt
$ vi ~/.bash_aliases
export PASS="$(cat ~/.ssh/pass.txt)"
$ . ~/.bash_aliasesssh normally asks for a password. You can push a public key to the host to bypass entering a password every time. First, you must have a public key, then send it to the host and verify ssh works without a password:
$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/user/.ssh/id_rsa.
Your public key has been saved in /home/user/.ssh/id_rsa.pub.
The key fingerprint is: SHA256:jZsNkiKdHx3K1fLS1RnbYvx4Z02R+PZ7XUxxxZrLf+Q user@linux
The key's randomart image is:...$ ssh-copy-id localhost
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/user/.ssh/id_rsa.pub"
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:HU9FMaREJNg+e0U7p6dcjfDFqIwKW7qWYVyxxxquEAQ.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
user@localhost's password:Number of key(s) added: 1Now try logging into the machine, with: "ssh 'localhost'" and check to make sure that only the key(s) you wanted were added.$ ssh localhost id
uid=1000(user) gid=1000(user)
Perform a sudo Command using ssh
The $PASS environment variable contains the password. Let's use ssh and sudo -S to use it:
$ echo $PASS | ssh host sudo -S id 2>/dev/null
uid=0(root) gid=0(root) groups=0(root)Note the 2>/dev/null is necessary to remove [sudo] password for $USER: from the output of the command.
Happy sudoing.
Originally published at https://focusedforsuccess.com on August 4, 2020.
