openssh - run as another user

Jim Knoble jmknoble at pobox.com
Sat Aug 28 02:03:14 EST 2010


[Continuing top-posting started by others in the conversation].

Depending on what you need to do, named pipes (a.k.a. fifos) can come in 
handy.  I've used them before when i need to do an exact directory tree 
transfer between systems where i only have sudo access, and the remote 
end ('ssh -t remotehost sudo tar -xvf -') doesn't work, because the 
tarball coming in on stdin keeps ssh from allocating a pty, which keeps 
sudo from being able to prompt for a password.

Using a fifo looks something like this:

Process #1 (read from named pipe on remote host):

     ssh -t remotehost.example.com '
         cd /tmp &&
         umask 077 &&
         mkdir somedir &&
         cd somedir &&
         mkfifo mypipe &&
         cd /path/to/targetdir &&
         sudo tar -xvf /tmp/somedir/mypipe
         rm -rf /tmp/somedir
     '

Process #2 (tar up directory tree and send it over):

     cd /path/to/sourcedir && tar -cf - topoftree \
     |ssh remotehost.example.com 'cat >/tmp/somedir/mypipe'

You can script most of the bits of Process #1 to make it simpler and 
more reliable (e.g., using the 'trap' shell builtin to remove the pipe 
and directory when done) and slightly more secure (using 'mktemp -d' to 
create the temporary directory instead of using 'mkdir', which fails if 
/tmp/somedir already exists.

-- 
jim knoble  |  jmknoble at pobox.com  |  http://www.pobox.com/~jmknoble/

On 2010-08-27 07:36, Wout Mertens wrote:
> If you use tar instead it's reasonably easy:
>
> ssh desthost -t sudo tar cf - srcfile | tar xvf -
>
> untested.
>
> Wout.
>
> On Aug 27, 2010, at 16:13 , Jeremy Nickurak wrote:
>
>> Any thoughts on how to get away with doing this with scp, in particular?
>>
>> On Thu, Aug 26, 2010 at 20:23, Matthew Monaco<dgbaley27 at verizon.net>  wrote:
>>
>>> On 08/26/2010 10:39 PM, Coy Hile wrote:
>>>
>>>> Use sudo a la
>>>>
>>>> ssh desthost sudo /some/command
>>>>
>>>>
>>>
>>> ssh desthost -t sudo /some/command
>>>
>>>
>>>
>>> -----Original Message-----
>>>> From: openssh-unix-dev-bounces+coy.hile=coyhile.com at mindrot.org [mailto:
>>>> openssh-unix-dev-bounces+coy.hile<openssh-unix-dev-bounces%2Bcoy.hile>=
>>>> coyhile.com at mindrot.org] On Behalf Of Phillip Wu
>>>> Sent: Thursday, August 26, 2010 7:37 PM
>>>> To: openssh-unix-dev at mindrot.org
>>>> Subject: openssh - run as another user
>>>>
>>>> For security, many systems are configured so you cannot log directly as
>>>> root via the initial authentication in openssh.
>>>>
>>>> What is usually done is that you log onto as your normal login and once
>>>> you get a interactive shell you su to root to
>>>> run the command that requires root.
>>>>
>>>> Does openssh have a more elegant way of exec'ing a command as root so I
>>>> can run the command
>>>> non-interactively?  I know:
>>>> Normal userid
>>>> Normal userid password
>>>> Root's password
>>>>
>>>> ***************************************************************
>>>> This message is intended for the addressee named and may contain
>>>> confidential information. If you are not the intended recipient, please
>>>> delete it and notify the sender. Views expressed in this message are those
>>>> of the individual sender, and are not necessarily the views of the Land and
>>>> Property Management Authority. This email message has been swept by
>>>> MIMEsweeper for the presence of computer viruses.
>>>> ***************************************************************
>>>> Please consider the environment before printing this email.
>>>> _______________________________________________
>>>> openssh-unix-dev mailing list
>>>> openssh-unix-dev at mindrot.org
>>>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>>>> _______________________________________________
>>>> openssh-unix-dev mailing list
>>>> openssh-unix-dev at mindrot.org
>>>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>>>>
>>>>
>>> _______________________________________________
>>> openssh-unix-dev mailing list
>>> openssh-unix-dev at mindrot.org
>>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>>>
>>
>>
>>
>> --
>> Jeremy Nickurak -= Email/XMPP: -= jeremy at nickurak.ca =-
>> _______________________________________________
>> openssh-unix-dev mailing list
>> openssh-unix-dev at mindrot.org
>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>


More information about the openssh-unix-dev mailing list