Ssh – sudo prompts for password over ssh

sshsudo

I have sudo set up for a user (myuser) as follows on "hostname" (sudoers content):

Cmnd_Alias SCRIPT=/path/script*
myuser ALL=(suser) NOPASSWD: SCRIPT

this works fine, so I can run the following, logged in locally as myuser on hostname, without need for password:

sudo -u suser /path/script

however, when I use ssh (with keys set up, so no password required) to login and run, as follows:

ssh hostname sudo -u suser /path/script

I get prompted for a password, and when the password is entered I get:

Sorry, user myuser is not allowed to execute '/path/script' as suser on hostname

UPDATE
The problem is solved by removing the "*" from the end of the command in sudoers.
The * was added to allow parameters to be passed to script, but actually doesn't appear to be necessary.
Still don't understand why the * allows the sudo to work locally, but not over ssh.
So question still stands

Best Answer

You didn't specify a host in the sudoers, so it only works locally as you have it setup now.

So if you set the host parameter to ALL, it will work on any host.

From man sudoers:

The reserved word ALL is a built-in alias that always causes a match to succeed. It can be used wherever one might otherwise use a Cmnd_Alias, User_Alias, Runas_Alias, or Host_Alias.

...

By default, if the NOPASSWD tag is applied to any of the entries for a user on the current host, he or she will be able to run sudo -l without a password. Additionally, a user may only run sudo -v without a password if the NOPASSWD tag is present for all a user's entries that pertain to the current host. This behavior may be overridden via the verifypw and listpw options.

The additional fact that the following works at the terminal seems to bear out that the host is the reason you get prompted.

$ ssh hostname

$ sudo -u user /path/script

Related Solutions

Linux – sudo [ no tty present and no askpass program specified ] [ can’t stat /var/run/sudo: Permission denied ]

This is likely because sudo requires a TTY session to run. You can force sudo to assume/use a TTY by passing in the -t arguments, i.e.:

sudo -tt /usr/bin/rsync

Ssh – How to automate SSH login with password

Don't use a password. Generate a passphrase-less SSH key and push it to your VM.

If you already have an SSH key, you can skip this step… Just hit Enter for the key and both passphrases:

$ ssh-keygen -t rsa -b 2048
Generating public/private rsa key pair.
Enter file in which to save the key (/home/username/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/username/.ssh/id_rsa.
Your public key has been saved in /home/username/.ssh/id_rsa.pub.

Copy your keys to the target server:

$ ssh-copy-id id@server
id@server's password:

Now try logging into the machine, with ssh 'id@server', and check-in:

.ssh/authorized_keys

Note: If you don't have .ssh dir and authorized_keys file, you need to create it first

to make sure we haven’t added extra keys that you weren’t expecting.

Finally, check to log in…

$ ssh id@server

id@server:~$

You may also want to look into using ssh-agent if you want to try keeping your keys protected with a passphrase.

Best Answer

Related Solutions

Linux – sudo [ no tty present and no askpass program specified ] [ can’t stat /var/run/sudo: Permission denied ]

Ssh – How to automate SSH login with password

Related Topic