python3 subprocess run sudo cmd in remote failed

[lampahome]

Hello, I use python3.5 and found no way to solve this problem

>from subprocess import Popen, PIPE
>ps = Popen('ssh -o \'StrictHostKeyChecking no\' he...@192.168.80.11 \'sudo
sysctl -w vm.drop_caches=3\', stdin=PIPE, stdout=PIPE, stderr=PIPE,
bufsize=0, shell=True)
> he...@192.168.80.11's password:

what I tried many times like enter password, but it failed.
I just want to use ps.stdin.write(password) to send password, but it always
jump password prompt immediately.

How to solve this

[Cameron Simpson]

Well, there's a Python library called "paramiko" which implements ssh.
That might help.

But really you should avoid using password authentication altogether.
Generate a public/private keypair using ssh-keygen and install the
public half on the target machine.

Then all you need to do is to deal with sudo's password.

Note also that since stdin and stdout are pipes and not the terminal
then ssh will not be interactive, and will not allocate a tty at the far
end either. You can get ssh to open a remote tty with the -t option.

But I suspect you don't want stdin=PIPE or stdout=PIPE at all. Why are
they there?

Also, try doing this without shell=True - it is an invitation for
mistakes and shell injection (depending on your uses).

Cheers,
Cameron Simpson <c...@cskk.id.au>

[lampahome]

>
> Well, there's a Python library called "paramiko" which implements ssh.
> That might help.
>

> Later I will try lol.

> Note also that since stdin and stdout are pipes and not the terminal
> then ssh will not be interactive, and will not allocate a tty at the far
> end either. You can get ssh to open a remote tty with the -t option.
>
> But I suspect you don't want stdin=PIPE or stdout=PIPE at all. Why are
> they there?
>

> I thought I can use ps.stdin.write(password), so I make stdin and stdout
be pipe as input and output.

Here are I tried:

>from subprocess import Popen, PIPE
>ps = Popen('ssh -o \'StrictHostKeyChecking no\' he...@192.168.80.11 \'sudo

sysctl -w vm.drop_caches=3\', shell=True)
> he...@192.168.80.11's password:

>from subprocess import Popen, PIPE

>ps = Popen(['ssh', '-o \'StrictHostKeyChecking no\'', '
he...@192.168.80.11', '\'sudo sysctl -w vm.drop_caches=3\''])
> he...@192.168.80.11's password:

It always prompt immediately, that make me hard to enter password.
Maybe I should try paramiko...

[Cameron Simpson]

On 17Sep2019 13:02, lampahome <pahom...@mirlab.org> wrote:
>> Note also that since stdin and stdout are pipes and not the terminal
>> then ssh will not be interactive, and will not allocate a tty at the far
>> end either. You can get ssh to open a remote tty with the -t option.
>>
>> But I suspect you don't want stdin=PIPE or stdout=PIPE at all. Why are
>> they there?
>
> I thought I can use ps.stdin.write(password), so I make stdin and
> stdout be pipe as input and output.

The trouble here is that ssh will only accept a password from a
terminal. As soon as you connect a pipe it refuses to prompt. This is
partly security (having a terminal is a proxy for "talking to a human"),
and partly because ssh normally passes stdin to the remote process once
authentication is complete, so things get fiddly.

You can give it a terminal by obtaining a pty and associating the
subprocess with that. You could install the pexpect module with "pip
install pexpect" and use that to manage this interaction. See the docs:

https://pexpect.readthedocs.io/en/stable/

for further info.

However, I repeat my recommendation to use a keypair for the
authentication, as it avoids needing interactive passwords (and having
your programme know the password has its own suite of problems to do
with where that password comes from).

>Here are I tried:
>>from subprocess import Popen, PIPE
>>ps = Popen('ssh -o \'StrictHostKeyChecking no\' he...@192.168.80.11 \'sudo
>sysctl -w vm.drop_caches=3\', shell=True)
>> he...@192.168.80.11's password:
>
>>from subprocess import Popen, PIPE
>>ps = Popen(['ssh', '-o \'StrictHostKeyChecking no\'', '
>he...@192.168.80.11', '\'sudo sysctl -w vm.drop_caches=3\''])
>> he...@192.168.80.11's password:
>
>It always prompt immediately, that make me hard to enter password.

Well ssh will be connected to your terminal. Do things work if you hand
type the password at that point?

> Maybe I should try paramiko...

Or pexpect.

But use a keypair - it will simplify your life, and generally be far
more secure anyway.

Cheers,
Cameron Simpson <c...@cskk.id.au>

[Chris Angelico]

On Tue, Sep 17, 2019 at 3:25 PM Cameron Simpson <c...@cskk.id.au> wrote:
> However, I repeat my recommendation to use a keypair for the
> authentication, as it avoids needing interactive passwords (and having
> your programme know the password has its own suite of problems to do
> with where that password comes from).

Agreed; using a password that's embedded into the script is worse than
useless. The same goes for sudo passwords, if that's a thing; arrange
it so the user that you SSH in as has the power to run that command
without a password (you can do that in the sudoers file, even if it
needs a password for all other usage).

If necessary, create a dedicated SSH keypair *just* for this script.
It's still easier to protect an SSH private key than a password.

ChrisA

[Eli the Bearded]

In comp.lang.python, lampahome <pahom...@mirlab.org> wrote:
> what I tried many times like enter password, but it failed.
> I just want to use ps.stdin.write(password) to send password, but it always
> jump password prompt immediately.

Passwords are frequently read from stderr, not stdin, so that tools can
get a human answered password from inside a pipleline providing stdin
to something downstream.

> How to solve this

Use some sort of out-of-band authentication. Jenkins (when I looked at
it) used ssh-agent. Ansible used sshpass. And you've already had
key-pairs suggested in a different reply.

Elijah
------
likes ssh-agent and key-pairs