Ssh – Proper way to send SSH commands to multiple clients with sudo

ssh

I have created a very simple shell script to send SSH commands to multiple hosts. Right now I have copied my ssh id so I don't have to use a password to login to the servers. But if I want to do a apt-get update for an example then I have to login as root and I am sure this isn't the preferred way to do this? So the question is what is the best way to send multiple ssh commands to multiple client's with sudo rights?

#!/bin/bash
# Hosts
hostarray=(
        "host1"
        "host2"
        "host3"
        )

for i in "${hostarray[@]}"; do
    ssh "$i" "command here"
done

Best Answer

As suggested above, Ansible can handle this more elegantly with the "--become --become-method=sudo --ask-become-password" options. However, you can, for example, put this in a file called /etc/sudoers.d/puppet (assuming your remote user is called puppet -- the naming is optional but it helps me keep things straight):

Defaults:puppet    !requiretty

puppet ALL=(ALL) NOPASSWD: ALL

This removes the need to type a password and the need for a tty.

Related Solutions

Ssh – How to automate SSH session for a specific user from a specific IP

To answer your followup question, if you create your SSH keypair without a password, then you would not need to enter the password to connect the servers.

You would add the pubkey in .authorized_keys according to this paragraph:

Key Access Limits

As an optional step to limit usage of the public key for access to any servers, a from statement can be used before public key entries in the ~/.ssh/authorized_keys file on the servers to limit where the client system is permitted to access the server from. Without a from limit, any client system with the appropriate private key data will be able to connect to the server from anywhere. If the keypair should only work when the client system is connecting from a host under example.org, set from="*.example.org" before the public key data.
server$ cat ~/.ssh/authorized_keys
from="*.example.org" ssh-rsa AAAAB3NzaC1…

In the "from" you would put your local interface IP address(es). Using that plus a combination of using an ssh key without a password (which is not best practices, but for most systems will work fine), will accomplish what you are looking for.

Ssh – How to automate SSH login with password

Don't use a password. Generate a passphrase-less SSH key and push it to your VM.

If you already have an SSH key, you can skip this step… Just hit Enter for the key and both passphrases:

$ ssh-keygen -t rsa -b 2048
Generating public/private rsa key pair.
Enter file in which to save the key (/home/username/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/username/.ssh/id_rsa.
Your public key has been saved in /home/username/.ssh/id_rsa.pub.

Copy your keys to the target server:

$ ssh-copy-id id@server
id@server's password:

Now try logging into the machine, with ssh 'id@server', and check-in:

.ssh/authorized_keys

Note: If you don't have .ssh dir and authorized_keys file, you need to create it first

to make sure we haven’t added extra keys that you weren’t expecting.

Finally, check to log in…

$ ssh id@server

id@server:~$

You may also want to look into using ssh-agent if you want to try keeping your keys protected with a passphrase.

Best Answer

Related Solutions

Ssh – How to automate SSH session for a specific user from a specific IP

Ssh – How to automate SSH login with password

Related Topic