How to send an SSH command from a protocol that requires sudo privileges?

Solved1.54K viewsprotocols serial protocol SSH
4
0 Comments

I'd like to send a command from a protocol to retrieve data from a Linux server via SSH.

However that command needs sudo elevated privileges. The response I retrieve is just the text that is asking for a username/pwd.

How can I do this from a protocol, please?

Marieke Goethals [SLC] [DevOps Catalyst] Selected answer as best 11th July 2023

3 Answers

1
2.28K 2 Comments

Can you change files on the box itself? otherwise an option can be setup passwordless sudo for that user: https://linuxhint.com/setup-sudo-no-password-linux/

or just some commands: https://askubuntu.com/questions/159007/how-do-i-run-specific-sudo-commands-without-a-password

Marieke Goethals [SLC] [DevOps Catalyst] Selected answer as best 11th July 2023
Gellynck Jens [SLC] commented

Security wise it’s probably safest to only grant the specific commands sudo without password permission. Or if only the dmidecode command needs sudo privileges, you could consider fetching the same information from /sys/devices/virtual/dmi/id, /proc/cpuinfo or /proc/meminfo
Jochen Dewachter [SLC] [DevOps Advocate] commented

I prefer not to do that, because in order to use that protocol, no user settings have to be adjusted on the machine itself…
0
892 0 Comments

Hi Jochen

Expect is a well known tool in the Linux world to automate password prompt scenarios. I see that they also support Windows, may be you can consider integrating that in the driver development.

Thanks.

Srikanth Mandava [SLC] [DevOps Advocate] Answered question 15th December 2022
0
15.99K 1 Comment

Hi Jochen,

I created a small automation script that send a command that requires sudo privileges. I believe this can also be implemented in a connector. In this case you will need to use ShellStream to be able to get the sudo password request:

public void Run(Engine engine)
{
string sLogin = "myUser";
string sPassword = "myUserPassword";
string sudoPassword = "myRootPassword";
string sHostname = "10.11.12.13";
string sCommand = "sudo dmidecode -t system | grep Serial";
string sExpectedResponse = "";
int iPort = 22;

SshClient sshClient = new SshClient(sHostname, iPort, sLogin, sPassword);

// Establish the connection
sshClient.Connect();

IDictionary<Renci.SshNet.Common.TerminalModes, uint> modes = new Dictionary<Renci.SshNet.Common.TerminalModes, uint>();
modes.Add(Renci.SshNet.Common.TerminalModes.ECHO, 53);

// Create a shell stream
var shellStream = sshClient.CreateShellStream("xterm", 255, 50, 800, 600, 1024, modes);

// Get logged in
sExpectedResponse = shellStream.Expect(new Regex(@"[$>]"));
engine.GenerateInformation("[INFO]|Run|Output:" + sExpectedResponse);

// Send command that requires sudo privileges
shellStream.WriteLine(sCommand);

// Expect password or user prompt
sExpectedResponse = shellStream.Expect(new Regex(@"([$#>:])"));
engine.GenerateInformation("[INFO]|Run|Output:" + sExpectedResponse);

// Check to send the password
if (sExpectedResponse.Contains(":"))
{
// Send password
shellStream.WriteLine(sudoPassword);

// Expect user or root prompt
sExpectedResponse = shellStream.Expect(new Regex(@"[$#>]"));

engine.GenerateInformation("[INFO]|Run|Output:" + sExpectedResponse);
}// End if

sshClient.Disconnect();
}// End method Run

For this example, I was able to get the serial number:

The main drawback of this approach is that the response will contain extra characters that you don't need (see screenshot above). Based on this, I believe it will be difficult to extract the information that you are looking for.

I saw other options as well, see this answer in StackOverflow, but they are insecure.

Jochen Dewachter [SLC] [DevOps Advocate] Posted new comment 14th December 2022
Jochen Dewachter [SLC] [DevOps Advocate] commented

For automation script, that’s ok. But for protocol that’d mean I have to put everything in QActions, that’s not ideal…