从python脚本中进行SSH并运行必须提供sudo密码的sudo命令
[英]SSHing from within a python script and run a sudo command having to give sudo password
问题描述
I am trying to SSH into another host from within a python script and run a command that requires sudo. 
我正在尝试从python脚本中SSH到另一台主机中,并运行需要sudo的命令。
I'm able to ssh from the python script as follows: 我能够从python脚本中进行ssh,如下所示:
import subprocess
import sys
import json
HOST="hostname"
# Ports are handled in ~/.ssh/config since we use OpenSSH
COMMAND="sudo command"
ssh = subprocess.Popen(["ssh", "%s" % HOST, COMMAND],
shell=False,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
result = ssh.stdout.readlines()
if result == []:
error = ssh.stderr.readlines()
print(error)
else:
print(result)
But I want to run a command like this after sshing : 但是我想在sshing之后运行这样的命令:
extract_response = subprocess.check_output(['sudo -u username internal_cmd',
'-m', 'POST',
'-u', 'jobRun/-/%s/%s' % (job_id, dataset_date)])
return json.loads(extract_response.decode('utf-8'))[0]['id']
How do I do that? 我怎么做?
Also, I don't want to be providing the sudo password every time I run this sudo command, for that I have added this command (ie, internal_cmd from above) at the end of visudo in the new host I'm trying to ssh into. 另外,我不想每次运行此sudo命令时都提供sudo密码,因为我已经在要尝试ssh的新主机的visudo末尾添加了此命令(即,来自上面的internal_cmd)成。 But still when just typing this command directly in the terminal like this: 但是仍然在直接在终端中像这样直接输入以下命令时:
ssh -t hostname sudo -u username internal_cmd -m POST -u/-/1234/2019-01-03
I am being prompted to give the password. 系统提示我输入密码。 Why is this happening? 为什么会这样呢?
2 个解决方案
解决方案1
0 2019-01-04 23:03:21
You can pipe the password by using the -S flag, that tells sudo to read the password from the standard input. 您可以使用-S标志来传递密码,该标志告诉sudo从标准输入中读取密码。
echo 'password' | sudo -S [command]
You may need to play around with how you put in the ssh command, but this should do what you need. 您可能需要尝试使用ssh命令的方式,但这应该可以满足您的需求。
Warning: you may know this already... but never store your password directly in your code, especially if you plan to push code to something like Github. 警告:您可能已经知道这一点...但是永远不要将密码直接存储在代码中,尤其是当您计划将代码推送到类似Github的东西时。 If you are unaware of this, look into using environment variables or storing the password in a separate file. 如果您不知道这一点,请考虑使用环境变量或将密码存储在单独的文件中。
解决方案2
0 2019-01-05 00:10:16
If you don't want to worry about where to store the sudo password, you might consider adding the script user to the sudoers list with sudo access to only the command you want to run along with the no password required option. 如果您不想担心将sudo密码存储在何处,则可以考虑将脚本用户添加到sudoers列表中,并且仅对要运行的命令进行sudo访问,并且不需要密码选项。 See sudoers(5) man page. 请参见sudoers(5)手册页。
You can further restrict command access by prepending a "command" option to the beginning of your authorized_keys entry. 您可以通过在authorized_keys条目的开头添加“ command”选项来进一步限制命令访问。 See sshd(8) man page. 请参见sshd(8)手册页。
If you can, disable ssh password authentication to require only ssh key authentication. 如果可以,请禁用ssh密码身份验证以仅要求ssh密钥身份验证。 See sshd_config(5) man page. 请参见sshd_config(5)手册页。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.