How to allow entering password when issuing commands on remote server? - ssh

Here's my script:
#!/bin/sh
if [ $# -lt 1 ]; then
echo "Usage: $0 SERVER"
exit 255
fi
ssh $1 'su;apachectl restart'
I just want it to log in to the server and restart apache, but it needs super-user priviledges to do that. However, after it issues the su command it doesn't stop and wait for me to enter my password. Can I get it to do that?

See if this works for you! This solution takes the password before doing the SSH though...
#!/bin/sh
if [ $# -lt 1 ]; then
echo "Usage: $0 SERVER"
exit 255
fi
read -s -p "Password: " PASSWORD
ssh $1 'echo $PASSWORD>su;apachectl restart'
The -s option prevents echoing of the password while reading it from the user.

Take a look at expect. The best way to perform such operations is through an expect script. Here is a sample that I just typed up to give you a head start, but all it does right now is show you how to handle a password in expect.
#!/usr/bin/expect -f
set timeout 60
set pswd [lindex $argv 0]
send "su\r"
match_max 2000
expect {
-re "assword:$" {
sleep 1
set send_human {.2 .15 .25 .2 .25}
send -h -- "$pswd\r"
exp_continue
} "login failed." {
send "exit\r"
log_user 1
send_user "\r\nLogin failed.\r\n"
exit 4
} timeout {
send "exit\r"
log_user 1
send_user "\r\nCommand timed out\r\n"
exit 1
} -re "(#|%)\\s*$" {
# If we get here, then su succeeded
sleep 1
send "apachectl restart\r"
expect {
-re "(#|%)\\s*$" {
send "exit\r"
log_user 1
send_user "\r\nApache restart Successful\r\n"
exit 0
} timeout {
send "exit\r"
log_user 1
send_user "\r\nCommand timed out\r\n"
exit 1
}
}
}
}

Modifying your command to:
ssh -t $1 'sudo apachectl restart'
will open a TTY and allow sudo to interact with the remote system to ask for the user account's password without storing it locally in memory.
You could probably also modify your sudo config on the remote system to allow for execution without a password. You can do this by adding the following to /etc/sudoers (execute visudo and insert this line, substituting <username> appropriately.)
<username> ALL=NOPASSWD: ALL
Also, I'm a security guy and I really hope you understand the implication of allowing an SSH connection (presuming without a passphrase on the key) and remote command execution as root. If not, you should really, really, really rethink your setup here.
[Edit] Better still, edit your sudoers file to allow only apachectl to run without a password. Insert the following and modify %staff to match your user's group, or change that to your username without the percent sign.
%staff ALL=(ALL) NOPASSWD: /usr/sbin/apachectl
Then your command should simply be changed to:
ssh $1 'sudo apachectl restart'

Related

Automated ssh-copy-id for a non-root user using expect

I'm a newbie to Linux, Bash and Expect
I'm currently working on a script which automatizes the ssh-keygen and ssh-copy-id processes
This is the wanted behavior:
Create SSH keys from root, for a non-root user( the rsa one )
Copying them on a given remote server
By SSH, ssh-copy-id the remote-host's keys back to the non-root user
Basically, to create a password-less ssh connection between them, all automatized on the main server.
I'd like to avoid the "su nagios" command, because it will interrupt the script waiting for a command ( or if it's not true, help me to use it correctly ).
The expect script:
#!/usr/bin/expect
set user [lindex $argv 0]
set server [lindex $argv 1]
send_user $user
send_user $server
spawn ssh-copy-id $user#$server
expect {
"(yes/no)? " {
send "yes\r"
exp_continue
}
"password: " {
send "nagios\r"
send_user "\n"
}
}
expect "$ "
spawn ssh -v $user#$server "ssh-copy-id nagios#192.168.174.142"
expect {
"(yes/no)? " {
send "yes\r"
exp_continue
}
"password: " {
send "nagios\r"
send_user "\n"
}
}
expect "$ "
exit
What I'm trying to do:
to create the keys in the right folder:
ssh-keygen -t rsa -N "" -f /home/nagios/.ssh/id_rsa
to change the text regarding user and domain
sed -i s/"root#localhost.localdomain"/"nagios#localhost.localdomain"/g /home/nagios/.ssh/id_rsa.pub
then I just copy them for the ssh-copy-id command..
cp -Rfv /home/nagios/.ssh/id_rsa /root/.ssh/
cp -Rfv /home/nagios/.ssh/id_rsa.pub /root/.ssh/
Are the keys generated binded to the user who created them?
Is that "root#localhost.localdomain" just a "comment" as I've read while browsing on internet?
Is there a way to use ssh-copy-id from root for the non-root user?
Errors I'm facing :
/usr/bin/ssh-copy-id: ERROR: Host key verification failed.
expect: spawn id exp5 not open
while executing
"expect "$ ""
(file "./copyRemoteKeys.sh" line 36)
May someone help me to debug, fix, or even help me to understand better how these things works?

ssh expect script doesn't recognize connect string

I tried my hand at an expect script that's supposed to copy an ssh public key up to a remote server and copy it into place so that you'll be able to ssh into it wihout having to enter in a password next time.
I'm trying to allow for a host connecting for the first time to expect the complaint about an unrecognized host key:
#!/usr/bin/expect -f
set PUB "~/.ssh/id_rsa.pub"
spawn scp $PUB openplatform#100.114.114.106:
expect {
"(Are you sure you want to continue connecting yes/no)?" { send "yes\r"; exp_continue }
password: {send secret!\r; exp_continue}
}
expect "password: "
send "secret!\r"
This is what happens when I actually run the script:
#./bin/ssh-login.ssh
spawn scp ~/.ssh/id_rsa.pub openplatform#100.114.114.106:
spawn ssh openplatform#100.114.116.106 /bin/mkdir .ssh && /bin/chmod 700 .ssh && /bin/cat id_rsa.pub >> .ssh/authorized_keys && /bin/chmod 600 .ssh/authorized_keys
The authenticity of host '100.114.116.106 (100.114.116.106)' can't be established.
RSA key fingerprint is 3b:04:73:25:24:f3:aa:99:75:a7:98:62:5d:dd:1b:38.
Are you sure you want to continue connecting (yes/no)? secret!
Please type 'yes' or 'no':
Basically the problem is that the line I'm trying to setup to expect the "Are you sure you want to continue connecting yes/no" string is not being recognized by the script.
Any suggestions on how I can improve that so that those lines match?
Thanks
You have a typo in your script - the opening bracket on the "Are you sure..." line should be before the "yes/no", not at the start. The fixed version:
#!/usr/bin/expect -f
set PUB "~/.ssh/id_rsa.pub"
spawn scp $PUB openplatform#100.114.114.106:
expect {
"Are you sure you want to continue connecting (yes/no)?" { send "yes\r"; exp_continue }
password: {send secret!\r; exp_continue}
}
expect "password: "
send "secret!\r"
...works fine for me

How to pass multiple servers to an expect script?

I'm trying to use an expect script to change my password on multiple servers, but I'm a little confused as to how to pass the list of servers through to it.
The script that I'm using is as follows:
#!/usr/bin/expect -f
# wrapper to make passwd(1) be non-interactive
# username is passed as 1st arg, passwd as 2nd
set username [lindex $argv 0]
set password [lindex $argv 1]
set serverid [lindex $argv 2]
set newpassword [lindex $argv 3]
spawn ssh -t $serverid passwd
expect "assword:"
sleep 3
send "$password\r"
expect "UNIX password:"
sleep 3
send "$password\r"
expect "password:"
sleep 3
send "$newpassword\r"
expect "password:"
sleep 3
send "$newpassword\r"
expect eof
And I'm trying to run it as such:
[blah#blah ~]$ ./setkey1 blah password 'cat serverlist' meh
which gives me the following output:
spawn ssh -t cat serverid passwd
ssh: cat serverid: Name or service not known
send: spawn id exp6 not open
while executing
"send "$password\r""
(file "./setkey1" line 13)
So I then tried running the following for loop:
[blah#blah ~]$ for i in serverid; do `cat serverid`; ./setkey1 blah password $i meh; done
Which gave me the following:
-bash: staging01v: command not found
spawn ssh -t serverid passwd
ssh: serverid: Name or service not known
send: spawn id exp6 not open
while executing
"send "$password\r""
(file "./setkey1" line 13)
If I try using the expect script, and just enter in one server name, it works as...um...expected.
What am I doing wrong?
There are many ways to solve this problem. I'd change the order of your arguments to be able to pass in multiple servers.
In the expect program:
foreach {username password newpassword} $argv break
set servers [lrange $argv 3 end]
foreach serverid $servers {
# your existing code goes here
}
Then from the shell, invoke it like this
./setkey1 userid pass newpass $(cat servers.txt)
If you use bash, you can do
./setkey1 userid pass newpass $(<servers.txt)
I did something similar here is my way
set servers "server1 server2 server3"
set users "user1 user2 user3"
set passwords "password1 password2 password3"
set newpasswords "new1 new2 new3"
foreach server $servers user $users password $passwords newpassword $newpasswords
{
Your commands using the variables server/user/password/newpassword
}
this will run the commands in a loop for each element in the sets
so first server with first user with first password in a loop then goes to 2nd etc..

ssh to cisco ASA and store output to a file

I am having trouble writing a shell-script for ssh into cisco ASA and store command output in a text file.
1.key exchange not needed in the script as it is not first time log in.
2. from my centOS server it should log into cisco ASA with ssh usr#serverip, run "en", send en password
and then run some command say "show version" and store the output to a text file in my server. I tried both shell script and the use of expect, not successful in either. Please help.
Thanks a lot in advance.
This is a small code written in python which does the work for you. Python is by default installed in your CentOS. Just save the code in file name it as .py and run it with "python .py". Let me know if this helps.
import pexpect
try:
hostname= 'yourhostname/ip of firewall'
username= 'your username'
commandTorun = 'Enter your command here'
password= 'your password'
enable= 'your enable password'
ssh = 'ssh ' + username + '#' +hostname
s=pexpect.spawn(ssh)
s.expect('word')
s.sendline(password)
s.expect('>');
s.sendline('en')
s.expect('word')
s.sendline(enable)
s.expect('#')
s.sendline('configure terminal')
s.expect('#')
s.sendline('pager 0')
s.expect('#')
s.sendline(commandTorun)
s.expect('#')
output = s.before
#You can save the output however you want here. I am printing it to the CLI.
s.sendline('exit')
s.expect('#')
s.sendline('exit')
s.expect(pexpect.EOF)
print output
except Exception, e:
print "The Script failed to login"
print str(e)
I'm not familiar with CentOS, but I have done this on Windows using Plink - a command line version of PuTTY. http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html (Edit: just checked and it appears plink exists as a .rpm file and is available on the repositories. The link provided also has source code if manual compile is your thing.)
The option -m allows you to specify a command script, -ssh forces ssh protocol, -l is the remote user and -pw is the remote password.
Here is the command:
plink.exe -ssh -l user -pw pass -m "path_to_script/script.txt" ip_of_asa > outputfile.txt
In the script.txt file you simply a list of commands including the enable command and hardcoded password:
en
enable_password
show ver
exit
Note, there are spaces in there to get the full "show ver" if multiple pages. The output uses the ">" to redirect output to file.
Hope this helps!
This works.
#!/usr/bin/expect
set remote_server [lrange $argv 0 0]
set timeout 10
spawn ssh -M username#$remote_server
while 1 {
expect {
"no)?" {send "yes\r"}
"denied" {
log_file /var/log/expect_msg.log
send_log "Can't login to $remote_server. Check username and password\n";
exit 1
}
"telnet:" {
log_file /var/log/expect_msg.log
send_log "Can't connect to $remote_server via SSH or Telnet. Something went definitely wrong\n";
exit 2
}
"failed" {
log_file /var/log/expect_msg.log
send_log "Host $remote_server exists. Check ssh_hosts file\n";
exit 3
}
timeout {
log_file /var/log/expect_msg.log
send_log "Timeout problem. Host $remote_server doesn't respond\n";
exit 4
}
"refused" {
log_file /var/log/expect_msg.log
send_log "Host $remote_server refused to SSH. That is insecure.\n"
log_file
spawn telnet $remote_server
}
"sername:" {send "username\r"}
"assword:" {send "password\r"}
">" {enable}
"#" {break}
}
}
send "terminal length 0\r"
expect "#"
send "show running-config\r"
log_file /opt/config-poller/tmp/poller.trash/$remote_server
expect "#"
send "exit\n"; exit 0
If you are accessing your router through your local machine, then you can create an expect script and configure tftp in your local machine.
The script would be like.
#!/usr/bin/expect-f
spawn telnet Router_IP
expect "word"
sent "password"
expect "word"
sent "copy running-config tftp://$tftp/$config\n\n" #edit this line wrt system's tftp configurations.
expect "word"
send "\n"

Transitioning Expect script from Telnet to SSH only

Any help would be appreciated. I need to transition inherited expect scripts from Telnet to SSH only logins. First of, I'm a router guy that inherited all our expect script templates, written a while back. So far, with little modifications, they've been able to run smoothly. Our client wanted to move away from Telnet and so a few months ago we prepped all the Cisco routers and switches to support both Telnet and SSH. Until now, our scripts had been fine. However, Telnet support and servers will go away soon and I need to figure out how to reconfigure all the script templates to work in SSH only environments.
So, here's an example of a simple template to get a sh ver output:
#!/usr/local/bin/expect -f
#
set force_conservative 0 ;# set to 1 to force conservative mode even if
;# script wasn't run conservatively originally
if {$force_conservative} {
set send_slow {1 .1}
proc send {ignore arg} {
sleep .1
exp_send -s -- $arg
}
}
####################################################################
# Info for command line arguments
set argv [ concat "script" $argv ]
set router [ lindex $argv 1 ]
####################################################################
set timeout 15
set send_slow {1 .05}
spawn telnet $router
match_max 100000
expect Username:
sleep .1
send -s -- "user\r"
expect Password:
sleep .1
send -s -- "pass\r"
expect *
send -s -- "\r"
expect *
sleep .2
send -s -- "sh ver\r"
expect *
sleep .2
send -s -- "end\r"
expect *
sleep .2
send -s -- "wr\r"
expect *
sleep .2
send -s -- "exit\r"
expect *
sleep .2
expect eof
Instead of:
spawn telnet $router
match_max 100000
expect Username:
sleep .1
send -s -- "user\r"
expect Password:
sleep .1
send -s -- "pass\r"
Try to use:
spawn ssh -M username#$router
while 1 {
expect {
"no)?" {send "yes\r"}
"sername:" {send "username\r"}
"assword:" {send "password\r"}
">" {break}
"denied" {send_user "Can't login\r"; exit 1}
"refused" {send_user "Connection refused\r"; exit 2}
"failed" {send_user "Host exists. Check ssh_hosts file\r"; exit 3}
timeout {send_user "Timeout problem\r"; exit 4}
}
}