Hi!

I'm trying to come up with a way for me to automate some processes. I have to do this via ssh. What I'm trying to do is have "box A" connect to "box B" as "user A" and execute a command as "user B" (sudoer). It needs to be done this way because of auditing and security policy. This is on Solaris 8

Here's how I have it setup now:

Box A has connectivity to box B
User A has logins on both box A and box B
User A connects to box B from box A and sudo's to user B

Here's what I have in the sudoers file:

User_Alias USERA = userA
Cmnd_Alias SU_USERA = /usr/bin/su - userB
USERA ALL = NOPASSWD: SU_USERA


So, I connect to box A and type:
ssh -t boxB "sudo su - userB /opt/rah/rah/rah/command.sh" >> /some/log/dir

It either doesn't change the user or it asks for a password. The script keeps a log in a directory owned by userB and, if it doesn't change the user, it says "cannot create, permission denied". Otherwise it sits there asking for a password. I've tried putting the full command in sudoers and that doesn't work. Anyone have ideas? Btw, this will eventually be put under Autosys control.

Thanks!

Suggest you set the log to go to a directory either user A OR user B can write to (just to get around that issue of permissions). Also, run a ssh as user A from box A to box B that doesn't run sudo to user B, just to make sure the password it's asking for isn't for the actual ssh versus the change of ID.

Try giving the full path to your su command:
change "sudo su - userB /opt/rah/rah/rah/command.sh"
to "sudo /usr/bin/su - userB /opt/rah/rah/rah/command.sh"

Hi! Thanks for the response.

User A is autosys' login.
User B is weblogic.

Unfortunately the command is to start a weblogic process and, if it's started by the autosys id, it won't work correctly. The logs also have to have weblogic:bea permissions so that the weblogic group can read them.

I've also setup a ssh-key from box a to box b so that no password is needed for autosys to connect..works fine.

Sorry for not clarifying all of this earlier.

I will try the full path to su and see if that works.

Okay, I got a chance to try those things and it didn't work.

If I just ssh to box b from the autosys id and then sudo from there it works wonderfully - no password needed for either.

It seems as though the problem is occurring only when you try to combine ssh, sudo and a command.

I'm stumped.

I setup the same scenario and it worked for me on Solaris 8 but with small change.

1. Setup password-less ssh for user "user-A" from box-A to box-B

2. setup the sudoers (/usr/local/etc/sudoers as sudo installed from SMCsudo) on box-B as below:

User_Alias USERA = user-A
Cmnd_Alias SU_USERA = /bin/test_scr.sh
USERA ALL = (ALL) NOPASSWD: SU_USERA

where "/bin/test_scr.sh" would have the below line (root must be the owner of this script)

su - user-B -c "/opt/rah/rah/rah/command.sh"

3. run the below command from box-A as user user-A

ssh box-B "/usr/local/bin/sudo /bin/test_scr.sh"

Note: On box-B, /bin/test_scr.sh will be run as "root" user who in turn "su" to user-B (root -to- user-B does not require any password)

DONE

Prvn

Oh man. I really wish I'd tried this when I thought of it. Instead of running a specific command via ssh you're just running a script which does all the work. I gotcha.

Trying and will let you know the results.