Home / server / Questions / 150525
Accepted
flashnode
Asked: 2010-06-12 09:41:00 +0800 CST

Managing servers over ssh with PermitRootLogin=no

  • 772

If I can't ssh as root to each of my servers how can I make modifications in an efficient way?

I am not allowed to setup ssh keys or open the sudoers file with NOPASSWD. I can't install puppet or spacewalk.

Sometimes when I try to include a sudo command in a script I get the error "no tty present." Has anyone worked in an environment like this?

ssh remote-access sudo

6 Answers

  1. Best Answer

    You could always login as a regular user and su root to the root user once you're in the server.

    • 5

  2. With these specific limitations you can force tty allocation using the -t switch to ssh:

    $ ssh server1 'sudo echo foo'
sudo: sorry, you must have a tty to run sudo
$ ssh -t server1 'sudo echo foo'
foo
Connection to server1 closed.

    In this example it is nopasswd, but it will work, you will just have to enter your password.

    • 1

  3. Since you mentioned you cannot use public key authentication and will have to put in a password just to get past the initial login prompt -- Your best bet is likely to be a combination of Python (or Perl) and Expect:

    #!/usr/bin/python

import pexpect

USER = 'myuser'
PASS = 'mypwd'
HOST = 'myhost'
CMD = 'ssh -l %s %s' % (USER, HOST)

conn = pexpect.spawn(CMD)
conn.expect('password:')
conn.sendline(PASS)
# do the rest of your stuff here ...

    That should suffice as a starting point -- there are plenty of tutorials (and SO questions) on this topic. You could then 'su -' or sudo and provide the same user password, for example. It gives you a framework to do your own dynamic configuration as well.

    Also -- the no tty present is because you haven't opened a tty in a script, as they generally run noninteractively.

    • 1

  4. The no tty present. means that your sudoers file contains Defaults requiretty. If you comment that out it will go away.

    I would look into mcollective for your management, but it sounds like you can't install anything. In that case, get ready to type your password a lot :( (or, bad idea as it is, script something up that puts your password into the right place with expect...)

    Also, sudo -l will give you a real root shell. That's good for interactive management, but not as much for automated stuff.

    • 1

  5. Use a distributed shell like mssh or dsh

    Is it really a problem not being able to log in directly as root?

    I always log in as a regular user and only use sudo to run administrative commands.

    I accept it is a problem not having centralised control, especially when you need to perform a change on more than a small number of servers, but you can use something like mssh or dsh from your Linux Desktop machine to run the same commands on each server.

    An example of the steps needed to connect to four servers and run a command as route would be

    • connect to all four servers using mssh, (eg mssh host1 host2 host3 host4 )

    • type your password if you don't have keys set up

    • run sudo "command"

    • type your password again

    Surely you are permitted to set up keys for your own regular user account. Also you can set up aliases for groups of servers in mssh.

    Then the steps become trivial

    • connect to a group or servers, such as "webservers" using mssh

    • run sudo "command"

    • type your password.

    There is some more information on my use of mssh here

    • 0

  6. Are you trying to work interactively, or via script?

    Those policies sound like something from a large company or government. If this is the case, just have someone pay a few million bucks for a management solution like IBM/Tivoli.

    • 0