Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Help on Ssh using sudo
Special Forums Cybersecurity Help on Ssh using sudo Post 302913539 by anandk on Monday 18th of August 2014 10:18:51 AM
Old 08-18-2014
Help on Ssh using sudo
I'm confused in the configuration of sudoers for one group of users.
The users need to execute a app from a remote machine, in this local machine they want me to allow ssh for them using sudo
for eg. sudo -u admin ssh -X euadmin@<IP address of remote> <remote script which opens a gui>

It should work, so in the sudoers file I added this
Code:
Cmnd_Alias    MGW_SSH = /usr/bin/ssh *-X euadmin@<IP address of remote> <remote script which opens a gui>*

The problem with this is that even though this group of users were able to execute the application to open the GUI, but this opens up a security hole where the users are able to ssh to any server using the admin role like sudo -u admin master would work perfectly and the user is able to log into other servers without password I don't want this to happen.

Is there a way I can restrict these users only to run ssh for a specific server? I did search a bit but couldn't find a proper solution, so thought of contacting the expert.

regards,
Anand.K
Last edited by rbatte1; 08-19-2014 at 12:59 PM.. Reason: Spelling and grammar, adding ICODE tags for in-line code.
 

10 More Discussions You Might Find Interesting

1. UNIX for Advanced & Expert Users

xwindows over ssh after sudo?

ok...I'm stumped on this one. I cannot figure out how to carry over my environment variables with a sudo command. I need to install an application under root and only have sudo access to get there. I can use ssh -Y <host> and launch an xwindows session successfully as myself but as soon as I sudo... (3 Replies)
Discussion started by: scottsl
3 Replies

2. UNIX for Advanced & Expert Users

sudo and ssh

Hello, Can you config sudo to use the passphrase in the user ssh-key instead of the one in the passwd? Some users do not have local passwords on the system and instead of adding the NOPASSWD in sudoers I would like the solution I asked about above. Thx Jocke (3 Replies)
Discussion started by: jOOc
3 Replies

3. UNIX for Advanced & Expert Users

sudo and ssh

Hi, I would like to know how i can perform a task, while performing ssh, sudo and command at the same time. What I generally do is I ssh to the server, where i created private and public, so it does not prompt me for password all the time. Then i need to run "sudo su - ldaprole" to get into... (9 Replies)
Discussion started by: john_prince
9 Replies

4. UNIX for Advanced & Expert Users

ssh and sudo login

Hi, I am trying to execute some command, via ssh and sudo. Here is what i want to do. ssh localhost | sudo su - ldaprole | ls -ltrh However, this command gives me listing of my home directory, and not of ldaprole. If I logic directly, when i perform sudo su - ldaprole, it... (5 Replies)
Discussion started by: john_prince
5 Replies

5. Shell Programming and Scripting

ssh foo.com sudo command - Prompts for sudo password as visible text. Help?

I am writing a BASH script to update a webserver and then restart Apache. It looks basically like this: #!/bin/bash rsync /path/on/local/machine/ foo.com:path/on/remote/machine/ ssh foo.com sudo /etc/init.d/apache2 reloadrsync and ssh don't prompt for a password, because I have DSA encryption... (9 Replies)
Discussion started by: fluoborate
9 Replies

6. Programming

Using Commands over SSH using Sudo

Is there a way to transfer my sudo password via ssh so that I can copy files remotely and pass them locally, so: cat sudo-passwd-file|ssh -t user@10.7.0.180 'sudo find / -depth|cpio -oacv|gzip' > /path/to/dir/file.cpio.gz I am in the process of a creating a script. Everytime I try and just... (16 Replies)
Discussion started by: metallica1973
16 Replies

7. Red Hat

Sudo Password Prompt over SSH

I am not sure what I am missing here. I have the following identical entry in /etc/sudoers on multiple Red Hat 6.4 servers. icinga ALL=NOPASSWD:/usr/bin/yum --security --exclude\="kernel*" check-update On one server when I enter the command over SSH as follows it works fine. ssh -t -q... (1 Reply)
Discussion started by: scotbuff
1 Replies

8. Shell Programming and Scripting

Ssh & sudo

when the following command is issued the command prompt is received, how do I get past this? ssh -t usera@hosta sudo su - userb -c id (4 Replies)
Discussion started by: squrcles
4 Replies

9. Shell Programming and Scripting

Help in creating Sudo ssh script

Hi Experts, I am new to Shell scripting. I want to login to a server using a script. The normal command I use is --> sudo ssh <Servername> . when i tried putting this into a txt format file and tried running, it throw an error "can't execute". I am an Admin and i have root access. Any help would... (6 Replies)
Discussion started by: Tom1989
6 Replies

10. Shell Programming and Scripting

Ssh does not support sqlplus and sudo -i?

Hey everybody, currently I am having an issue that I need to open an ssh session to a remote host, once on the remote host I need to use sudo and then execute sqlplus. Once the sqlplus call is open I need to execute one command while the sqlplus is active. For example show sga. I already got so... (3 Replies)
Discussion started by: h1kelds
3 Replies

LEARN ABOUT LINUX

visudo

VISUDO(8)						       MAINTENANCE COMMANDS							 VISUDO(8)

NAME

       visudo - edit the sudoers file

SYNOPSIS

       visudo [-c] [-q] [-s] [-V] [-f sudoers]

DESCRIPTION

       visudo edits the sudoers file in a safe fashion, analogous to vipw(8).  visudo locks the sudoers file against multiple simultaneous edits,
       provides basic sanity checks, and checks for parse errors.  If the sudoers file is currently being edited you will receive a message to try
       again later.

       There is a hard-coded list of one or more editors that visudo will use set at compile-time that may be overridden via the editor sudoers
       Default variable.  This list defaults to "/usr/bin/editor".  Normally, visudo does not honor the VISUAL or EDITOR environment variables
       unless they contain an editor in the aforementioned editors list.  However, if visudo is configured with the --with-env-editor option or
       the env_editor Default variable is set in sudoers, visudo will use any the editor defines by VISUAL or EDITOR.  Note that this can be a
       security hole since it allows the user to execute any program they wish simply by setting VISUAL or EDITOR.

       visudo parses the sudoers file after the edit and will not save the changes if there is a syntax error.	Upon finding an error, visudo will
       print a message stating the line number(s) where the error occurred and the user will receive the "What now?" prompt.  At this point the
       user may enter "e" to re-edit the sudoers file, "x" to exit without saving the changes, or "Q" to quit and save changes.  The "Q" option
       should be used with extreme care because if visudo believes there to be a parse error, so will sudo and no one will be able to sudo again
       until the error is fixed.  If "e" is typed to edit the  sudoers file after a parse error has been detected, the cursor will be placed on
       the line where the error occurred (if the editor supports this feature).

OPTIONS

       visudo accepts the following command line options:

       -c	   Enable check-only mode.  The existing sudoers file will be checked for syntax and a message will be printed to the standard
		   output detailing the status of sudoers.  If the syntax check completes successfully, visudo will exit with a value of 0.  If a
		   syntax error is encountered, visudo will exit with a value of 1.

       -f sudoers  Specify and alternate sudoers file location.  With this option visudo will edit (or check) the sudoers file of your choice,
		   instead of the default, /etc/sudoers.  The lock file used is the specified sudoers file with ".tmp" appended to it.

       -q	   Enable quiet mode.  In this mode details about syntax errors are not printed.  This option is only useful when combined with
		   the -c option.

       -s	   Enable strict checking of the sudoers file.	If an alias is used before it is defined, visudo will consider this a parse error.
		   Note that it is not possible to differentiate between an alias and a host name or user name that consists solely of uppercase
		   letters, digits, and the underscore ('_') character.

       -V	   The -V (version) option causes visudo to print its version number and exit.

ENVIRONMENT

       The following environment variables may be consulted depending on the value of the editor and env_editor sudoers variables:

       VISUAL	       Invoked by visudo as the editor to use

       EDITOR	       Used by visudo if VISUAL is not set

FILES

       /etc/sudoers	       List of who can run what

       /etc/sudoers.tmp        Lock file for visudo

DIAGNOSTICS

       sudoers file busy, try again later.
	   Someone else is currently editing the sudoers file.

       /etc/sudoers.tmp: Permission denied
	   You didn't run visudo as root.

       Can't find you in the passwd database
	   Your userid does not appear in the system passwd file.

       Warning: {User,Runas,Host,Cmnd}_Alias referenced but not defined
	   Either you are trying to use an undeclare {User,Runas,Host,Cmnd}_Alias or you have a user or host name listed that consists solely of
	   uppercase letters, digits, and the underscore ('_') character.  In the latter case, you can ignore the warnings (sudo will not
	   complain).  In -s (strict) mode these are errors, not warnings.

       Warning: unused {User,Runas,Host,Cmnd}_Alias
	   The specified {User,Runas,Host,Cmnd}_Alias was defined but never used.  You may wish to comment out or remove the unused alias.  In -s
	   (strict) mode this is an error, not a warning.

SEE ALSO

       vi(1), sudoers(5), sudo(8), vipw(8)

AUTHOR

       Many people have worked on sudo over the years; this version of visudo was written by:

	Todd Miller

       See the HISTORY file in the sudo distribution or visit http://www.sudo.ws/sudo/history.html for more details.

CAVEATS

       There is no easy way to prevent a user from gaining a root shell if the editor used by visudo allows shell escapes.

BUGS

       If you feel you have found a bug in visudo, please submit a bug report at http://www.sudo.ws/sudo/bugs/

SUPPORT

       Limited free support is available via the sudo-users mailing list, see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
       search the archives.

DISCLAIMER

       visudo is provided ``AS IS'' and any express or implied warranties, including, but not limited to, the implied warranties of
       merchantability and fitness for a particular purpose are disclaimed.  See the LICENSE file distributed with sudo or
       http://www.sudo.ws/sudo/license.html for complete details.

1.7.4								   July 14, 2010							 VISUDO(8)
All times are GMT -4. The time now is 02:53 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy