Sometimes it's necessary to use sudo with ssh. In general this is a bad idea, however the method below will keep the password safe and allow using it securely, i.e. not having it show up on the screen or in your shell history.
Setup sudo on the Target Machine
On most Linux/Linux-like systems, any use in with in the sudo group is allowed to use sudo
. On some Linux flavors the user is setup when installing the system. So, no setup is necessary. However, when using Debian the root
user is enabled and the regular user isn't in the sudo group. Let's fix this:
$ su -
Password:
# adduser $USER sudo
# exit
$ exit
You need to exit the $USER
shell and login again to pick up the sudo group in your shell.
Store the sudo Password Securely
The sudo
password is the $USER
password (not the root password). Let's store it in a safe place. Create the file ~/.ssh/pass.txt
. Note: ~/.ssh
should have permissions of 700, so it is secure.
$ vi ~/.ssh/pass.txt
(enter the password here)
$ chmod 600 ~/.ssh/pass.txt
$ vi ~/.bash_aliases
export PASS="$(cat ~/.ssh/pass.txt)"
$ . ~/.bash_aliases
Setup ssh to Work Without a Password
ssh
normally asks for a password. You can push a public key to the host to bypass entering a password every time. First, you must have a public key, then send it to the host and verify ssh works without a password:
$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/user/.ssh/id_rsa.
Your public key has been saved in /home/user/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:jZsNkiKdHx3K1fLS1RnbYvx4Z02R+PZ7XUWeLZrLf+Q user@linux
The key's randomart image is:
+---[RSA 2048]----+
| o..|
| . + *o|
| + . . Oo=|
| . o = B . ..O=|
| . + * S + oo.O|
| . o o * o o=|
| . o .. . o+|
| o .E|
| ....|
+----[SHA256]-----+
$ ssh-copy-id localhost
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/user/.ssh/id_rsa.pub"
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:HU9FMaREJNg+e0U7p6dcjfDFqIwKW7qWYVy4Q4quEAQ.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
user@localhost's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'localhost'"
and check to make sure that only the key(s) you wanted were added.
$ ssh localhost id
uid=1000(user) gid=1000(user)
$PASS
contains the password, let's use ssh
and sudo -S
to use it:
$ echo $PASS | ssh host sudo -S id 2>/dev/null
uid=0(root) gid=0(root) groups=0(root)
Note the 2>/dev/null
is necessary to remove [sudo] password for $USER:
from the output of the command.