Ssh – x11vnc through SSH tunnel – sudo: no tty present and no askpass program specified

sshsudovncx11

I'm trying to setup a one-time SSH tunnel which instantiates x11vnc on a logged-in display.

ssh -f -t -L 5900:localhost:5900 user@10.1.10.1 'sudo /usr/bin/x11vnc -safer -once -nopw -display :0 -auth /home/user/.Xauthority'

/etc/sudoers:

user@myhost:~$ sudo cat /etc/sudoers
[sudo] password for user: 
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/
# instead of directly modifying this file.
#
Defaults:user   !requiretty
Defaults        env_reset
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

root    ALL=(ALL:ALL) ALL
user  ALL=(ALL:ALL) NOPASSWD: /usr/bin/x11vnc

%admin ALL=(ALL) ALL

%sudo   ALL=(ALL:ALL) ALL

The end result is this:

Pseudo-terminal will not be allocated because stdin is not a terminal.
bind: Address already in use
channel_setup_fwd_listener: cannot listen to port: 5900
Could not request local forwarding.
ebz@icarus:~ $ sudo: no tty present and no askpass program specified
Sorry, try again.
sudo: no tty present and no askpass program specified
Sorry, try again.
sudo: no tty present and no askpass program specified
Sorry, try again.
sudo: 3 incorrect password attempts

It does say bind: Address already in use, but I feel this is not true and unrelated:

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 10.1.10.1:domain        *:*                     LISTEN      -               
tcp        0      0 *:ssh                   *:*                     LISTEN      -                   
tcp6       0      0 xxxx::xxxx:xxxx::domain [::]:*                  LISTEN      -               
tcp6       0      0 [::]:ssh                [::]:*                  LISTEN      -

Safe to say we can ignore that message. Also, removing the sudo entry for user has no effect, either.

Thanks, guys. Cheers.

P.S. The solution here – No TTY present when running commands over SSH.. – didn't work 🙁

Also, a side note, THIS IS SERVER RELATED (BACKGROUND REGARDING A CUSTOM LXC VMM IMPLEMENTATION FOR OPENNEBULA). Please DO NOT mark this off-topic as this is a valid application use case.

UPDATE

Plus -tt, minus -f -t switches:

$ ssh -tt -L 5900:localhost:5900 user@10.1.10.1 'sudo /usr/bin/x11vnc -safer -once -nopw -display :0 -auth /home/user/.Xauthority'
bind: Address already in use
channel_setup_fwd_listener: cannot listen to port: 5900
Could not request local forwarding.
[sudo] password for user:

But it prompts for a password? It works after I enter the password though.

Best Answer

Make sure that user isn't in either of the groups admin or sudo or put the sudoers line for user after the group lines.

From the sudoers man page

When multiple entries match for a user, they are applied in order. Where there are multiple matches, the last match is used (which is not necessarily the most specific match).

Related Solutions

Ssh-agent forwarding and sudo to another user

As you mentioned, the environment variables are removed by sudo, for security reasons.

But fortunately sudo is quite configurable: you can tell it precisely which environment variables you want to keep thanks to the env_keep configuration option in /etc/sudoers.

For agent forwarding, you need to keep the SSH_AUTH_SOCK environment variable. To do so, simply edit your /etc/sudoers configuration file (always using visudo) and set the env_keep option to the appropriate users. If you want this option to be set for all users, use the Defaults line like this:

Defaults    env_keep+=SSH_AUTH_SOCK

man sudoers for more details.

You should now be able to do something like this (provided user1's public key is present in ~/.ssh/authorized_keys in user1@serverA and user2@serverB, and serverA's /etc/sudoers file is setup as indicated above):

user1@mymachine> eval `ssh-agent`  # starts ssh-agent
user1@mymachine> ssh-add           # add user1's key to agent (requires pwd)
user1@mymachine> ssh -A serverA    # no pwd required + agent forwarding activated
user1@serverA> sudo su - user2     # sudo keeps agent forwarding active :-)
user2@serverA> ssh serverB         # goto user2@serverB w/o typing pwd again...
user2@serverB>                     # ...because forwarding still works

Sudo: no tty present and no askpass program specified (trying to start apachectl)

[Moved from the comment above]

Your script may be finding the apachectl binary somewhere else in $PATH other than /usr/sbin/apachectl. This would fail to match your existing sudoers entry. If you call the command with an explicit path (i.e., use /usr/sbin/apachectl in your script, rather than just apachectl) you can make sure you're using the right one. This is a good practice in general.

Best Answer

Related Solutions

Ssh-agent forwarding and sudo to another user

Sudo: no tty present and no askpass program specified (trying to start apachectl)

Related Topic