[英]Using Net::SSH Ruby library to remote command execution that requires sudo su - another user
My environment is configured with SSH password-less authentication for the user "master" between a node Server (Rundeck server) and node Target (remote Solaris host). 我的环境为节点服务器(Rundeck服务器)和节点目标(远程Solaris主机)之间的用户“主”配置了SSH无密码身份验证。
On Target, I want to execute a script /app/acme/stopApp.sh
with the user appmanager
. 在目标,我想执行一个脚本
/app/acme/stopApp.sh
与用户appmanager
。
Normally, when I need to run the script manually, I use: 通常,当我需要手动运行脚本时,可以使用:
ssh master@server sudo su - appmanager
or simply: 或者简单地:
ssh -t master@server 'sudo su - appmanager'
which works without the password and finally run (as appmanager): 无需密码即可工作并最终运行(以appmanager身份):
/app/acme/stopApp.sh
But I'm unable to figure out how to reproduce these steps using Net::SSH. 但是我无法弄清楚如何使用Net :: SSH重现这些步骤。 When I execute
sudo su - appmanager
and then /app/acme/stopApp.sh
, I'm doing it in a sub-shell, right? 当我执行
sudo su - appmanager
然后执行/app/acme/stopApp.sh
,我正在子外壳中执行它,对吗?
require 'rubygems'
require 'net/ssh'
require 'net/scp'
require 'crypt/blowfish'
require 'yaml'
#
# ...
#
Net::SSH.start( host, user, :password => password ) do |session|
# It's possible to proceed in this way?
cmd = 'sudo su - appmanager;/app/acme/stopApp.sh'
ses = session.exec!( cmd )
end
I realized that if I try to execute something like I'm on the Target server: 我意识到,如果我尝试在目标服务器上执行类似的操作:
sudo su -c /app/acme/stopApp.sh appmanager
I receive the message below: 我收到以下消息:
We trust you have received the usual lecture from the local System Administrator.
It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility. Password:
Password:
This is a bit of a sysadmin-y answer, but I think you are authenticating twice: once to log in as "master" (using master's keypair) and then a second time "master" sudo-ing the su to "appmanager" but using a password (hence the "lecture" message). 这是一个sysadmin-y答案,但是我认为您要进行两次身份验证:一次以“ master”身份登录(使用master的密钥对),然后第二次“ master”将su sudo到“ appmanager”,但是使用密码(因此出现“演讲”消息)。 But I think you're not answering the password challenge the second time.
但是我认为您第二次没有回答密码挑战。 There are a few ways to get around this that come to mind:
有几种方法可以解决此问题:
1) Login as appmanager directly using that account's keypair. 1)使用该帐户的密钥对直接以appmanager身份登录。 If you're worried about the security of the appmanager account, you can restrict ssh remote commands among other things.
如果您担心appmanager帐户的安全性,则可以限制ssh远程命令 。
2) As master, call a binary ( not a script! ) that is setuid as "appmanager" that simply calls the stopApp.sh script. 2)以master身份,调用setuid为“ appmanager”的二进制文件( 而不是脚本! ),该二进制文件仅调用stopApp.sh脚本。 An example .
一个例子 。
3) Set the appropriate group that master is in to NOPASSWD in /etc/sudoers. 3)在/ etc / sudoers中将master所在的适当组设置为NOPASSWD 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.