Beefy Boxes and Bandwidth Generously Provided by pair Networks
The stupid question is the question not asked
 
PerlMonks  

send su password in ssh

by tmhossain (Initiate)
on Sep 27, 2010 at 20:33 UTC ( #862289=perlquestion: print w/ replies, xml ) Need Help??
tmhossain has asked for the wisdom of the Perl Monks concerning the following question:

I am trying develop a perl module to ssh to a host as one user and then switch to root and do some stuff. Here is the piece of code for switching user part.

#-- set up a new connection $ssh = Net::SSH::Perl->new("$host", debug => 1, use_pty => 1, interact +ive => 1, identity_files => [], protocol=>'2,1'); #-- authenticate #print "Loggin onto $host...\n" ; # Authenticate using login/password: $ssh->login($user, "$pass"); my($stdout1, $stderr1, $exit1) = $ssh->cmd("su -", ["$mypassword\r\n"] +); print "error= $stderr1\n" ;

I am trying to send the switch user to root (su -) command and trying to send the password string with /r/n. I am getting the error message: incorrect password. May be the password is sent too early and not recognized.

Does any one know solution to this? If you have any other idea on how to implement it please share.

Comment on send su password in ssh
Download Code
Re: send password in ssh
by girarde (Friar) on Sep 27, 2010 at 20:58 UTC
    Depending on the O/S you might want to omit the \r and just use \n
Re: send password in ssh
by ww (Bishop) on Sep 27, 2010 at 21:12 UTC

    Highly speculative reply (since I don't use Net::SSH::Perl) ...

    If there's any substantive basis for your supposition, "(m)ay be the password is sent too early and not recognized," then it may be worth your while to sleep 1 (or more) between sending the su - and the password (or, if that's not feasible, separate into two transmissions. Any system I'm familiar with will throw up a prompt for the password).

    Alternately, you may want to consider whether there's a clue in the disparity between narrative and code: "/r/n" versus \r\n.

Re: send su password in ssh
by sundialsvc4 (Abbot) on Sep 27, 2010 at 21:34 UTC

    A far better strategy, if you absolutely must use a programmatic login or su, is to arrange for login to occur using SSH public/private keys.   The script would present its key to avoid the possibility of an actual password challenge.

    Naturally, I am extraordinarily uncomfortable with the idea of a script logging on as root...   Almost as uncomfortable as I am with the notion of a script possessing credentials that would allow (anyone) to do so.

      sundialsvc++!!

      Login as an untrusted user and drop stuff off. The working user (probably does not need to be root) can poll for the submission and then "do stuff".

      crontab is your friend here.

      David.
Re: send su password in ssh
by ctilmes (Priest) on Sep 27, 2010 at 21:53 UTC
    I agree with the discomfort expressed by sundialsvc4 about doing it at all, but with that caveat, if you do need/want to do it that way, use the SSH facilities to limit the use of the key to come from only a specific IP address, and only allow it to be used to run a specific command.

      I believe that the tool to be used here is sudo.

      If I may hazard a general statement here... I rather think that too many developers “routinely” have access to root.   And they (so to speak) “lazily” write code that “merely assumes it.”   They write code that does things as they would (can...) do it.   And this quickly leads to trouble.

      The “principle of least privilege” needs to apply to every privileged thing that you do.   I happen to think that it is an excellent practice to dictate that no developer shall have access to root.   If you impose that restriction upon them (also building the restriction that “developers have no way to reach the production databases, directories and files,” no matter how loudly they whine), that restriction becomes reflected in their code.   Necessity is the mother of invention.   Even a self-imposed version of that discipline is beneficial.   This point-of-view needs to be something that is “in your blood.”

Re: send su password in ssh
by chb (Chaplain) on Sep 28, 2010 at 07:05 UTC
    Maybe something like Net::SSH::Expect is better suited for this kind of programmed remote interaction?

      I have used Net::SSH::Expect to perform this task with both key-based and password authentication.

      Any expect-capable script should resolve any of your timing concerns.

Re: send su password in ssh
by salva (Abbot) on Sep 28, 2010 at 08:09 UTC
    The script below (copied from Net::OpenSSH distribution) does exactly what you want.

    It uses Net::OpenSSH to establish the connection to the remote host and Expect to handle the interaction with sudo.

    #!/usr/bin/perl use strict; use warnings; use Net::OpenSSH; use Expect; select STDOUT; $| = 1; select STDERR; $| = 1; my $password = $ARGV[0]; my $timeout = 20; my $debug = 0; my $ssh = Net::OpenSSH->new('test@127.0.0.1', password => $password); # my ($pty, $pid) = $ssh->open2pty("sudo cat /etc/shadow") # After a successful sudo operation, it doesn't request the password # again until some time after, handling this undeterministic behaviour # is a pain in the ass, so we just clear any cached credentials # calling "sudo -k" first as follows: my ($pty, $pid) = $ssh->open2pty("sudo -k; sudo cat /etc/shadow") or die "open2pty failed: " . $ssh->error . "\n"; my $expect = Expect->init($pty); $expect->raw_pty(1); $debug and $expect->log_user(1); $debug and print "waiting for password prompt\n"; $expect->expect($timeout, ':') or die "expect failed\n"; $debug and print "prompt seen\n"; $expect->send("$password\n"); $debug and print "password sent\n"; $expect->expect($timeout, "\n") or die "bad password\n"; $debug and print "password ok\n"; while(<$pty>) { print "$. $_" }
    Note that Net::OpenSSH does not work on Windows.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://862289]
Approved by Corion
Front-paged by Corion
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others chanting in the Monastery: (7)
As of 2014-12-26 04:12 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    Is guessing a good strategy for surviving in the IT business?





    Results (165 votes), past polls