sudo over pssh?

[haarts]

Dear list,

I'm struggling with a solution to run commands in parallel. pssh seems to fit the bill nicely but I'd like to run commands with sudo on the target machines. Passing the option -x '-t' (pseudo terminal) doesn't seem to work (Stderr: Pseudo-terminal will not be allocated because stdin is not a terminal.). Is there a way of doing this? Preferably I'd give the sudo password once which is then used across the cluster.

Otherwise pssh is exactly what I want!

With kind regards,

[Andrew McNabb]

On Wed, Mar 14, 2012 at 09:12:15AM -0700, haarts wrote:
>
> I'm struggling with a solution to run commands in parallel. pssh seems to
> fit the bill nicely but I'd like to run commands with sudo on the target
> machines. Passing the option -x '-t' (pseudo terminal) doesn't seem to work

Within pssh, you have to do -x '-tt' rather than -x '-t' to make ssh
actually allocate a pseudo terminal.

> (Stderr: Pseudo-terminal will not be allocated because stdin is not a
> terminal.). Is there a way of doing this? Preferably I'd give the sudo
> password once which is then used across the cluster.
> Otherwise pssh is exactly what I want!

Have you tried using the -A option? This would require you to give the
root password rather than the user's password, so the behavior is a
little different than you describe. Likewise, you could also consider
setting up ssh keys so that you can login as root without a password.

--
Andrew McNabb
http://www.mcnabbs.org/andrew/
PGP Fingerprint: 8A17 B57C 6879 1863 DE55 8012 AB4D 6098 8826 6868

[haarts]

Thanks you for the pointers! 

The -A -x '-tt' worked like a charm. I hadden't put the one and the other together.

By the way, would it be possible to run a command on the remote servers in the background? So, issue the command and detach?

With kind regards,

[Andrew McNabb]

On Mon, Mar 19, 2012 at 05:04:28AM -0700, haarts wrote:
> Thanks you for the pointers!
> The -A -x '-tt' worked like a charm. I hadden't put the one and the other
> together.

The behavior of ssh by itself can be a mystery. When there's another
tool between it and you (and yet another program running remotely), it
can be really hard to track down what's going on.

> By the way, would it be possible to run a command on the remote servers in
> the background? So, issue the command and detach?

You might consider looking at `screen` or at the `disown` builtin,
depending on what you're trying to do. There are a bunch of other tools
out there, too, so please report back if you find something that works
perfectly for you.

[haarts]

A mystery indeed. -x '-tt' -A _sometimes_ works. Sometimes and additional -I is required. 

I looked into screen and disown and nohup with little luck. Albeit I'm doing something complex. Multiple commands and redirecting output etc etc:

/bin/pssh -v -h /tmp/riak_nodes -e /tmp/errors -x '-tt' -A -I -l ops --inline-stdout "sudo -i 'cd /root/dump_bitcask ; nohup bundle exec ruby dump_bitcask_data.rb > /tmp/dump.log 2>&1 &'"

No luck. I'll look into Capistrano a bit more, and perhaps remove the password for sudo which it a real pain.

Harm

[Ryan M]

Great discussion, thanks!

I cannot disable password authentication for sudo commands.  I have tried this command and many variants:

pssh -t 20 -x "-tt" -A -i -h prod-machines -P "sudo whoami"

To no avail.  Using the interactive print "-P", I see this:

Warning: do not enter your password if anyone else has superuser

privileges or access to your account.

Password: 

machine5: [sudo] password for rmckeel: 

machine3: [sudo] password for rmckeel: 

machine4: [sudo] password for rmckeel: 

machine6: [sudo] password for rmckeel: 

[1] 08:34:41 [FAILURE] machine3 Timed out, Killed by signal 9

....

Any ideas how to solve this?  I have tried -l myusername, -l root (I don't have the root password, nor do we want to use password or key for root auth), -x "-t -t" and other variants.  I'd like -A to request a password then use that for all sudo password prompts, or if that wasn't possible, to provide an interactive password request.

Thanks for any ideas!

[Harm Aarts]

I ended up with Ansible (http://ansible.cc/). Pretty awesome piece of software.

[Andrew McNabb]

On Tue, Oct 23, 2012 at 07:46:00AM -0700, Ryan M wrote:
>
> I cannot disable password authentication for sudo commands. I have tried
> this command and many variants:
>
> pssh -t 20 -x "-tt" -A -i -h prod-machines -P "sudo whoami"
>
> To no avail. Using the interactive print "-P", I see this:
>
> Warning: do not enter your password if anyone else has superuser
> privileges or access to your account.
> Password:
> machine5: [sudo] password for rmckeel:
> machine3: [sudo] password for rmckeel:
> machine4: [sudo] password for rmckeel:
> machine6: [sudo] password for rmckeel:
> [1] 08:34:41 [FAILURE] machine3 Timed out, Killed by signal 9
> ....
>
> Any ideas how to solve this? I have tried -l myusername, -l root (I don't
> have the root password, nor do we want to use password or key for root
> auth), -x "-t -t" and other variants. I'd like -A to request a password
> then use that for all sudo password prompts, or if that wasn't possible, to
> provide an interactive password request.

One way to help think about the problem is that ssh (and thus pssh) has
no awareness of what program is being run on the remote host. It's not
possible for ssh to give a password specifically to sudo because it
can't even know whether sudo is running. However, it's probably
possible to work around your problem using one of these possibilities:

1) I haven't actually tried it, but you should be able to use `-x "-tt"`
along with `-I` to send standard input.

2) The /etc/sudoers file lets you give individual commands that specific
users can run without requiring a password.

3) You said you don't like the idea of creating an ssh key for root, but
this is the most secure way to allow a user to ssh in and run any
command as root. Certificates are much more secure than passwords.

I hope this is helpful.

[Vinit Khandagle]

Well, This reply is really after a long time, but I came here exactly for the same reason, "Trying to run sudo commands through pssh". Well I guess coz pssh just uses ssh, I think its more of how ssh understands sudo. I got this working, One problem i had was that pssh does not prompt for the sudo tty like "ssh -t" does, infact in my case, i did not even had to pass -x "-tt" option if I set the user with "NOPASSWD" in sudoers.  However if I take of the "NOPASSWD" from the sudoers and then pass the -x "-tt" option with pssh it still hangs as it does not get the tty to run the command. So the best options till now i found is use:
   1. User with "NOPASSWD" in sudoers, and pass -A option for during the SSH if you have password login enabled , else do it with SSH keys and avoid passing -A option.
    2. Permit root login on the boxes, and protect with with ssh keys, and pass -l root in the pssh command.

[Grigory -]

This work for me:

[1153] grundic@xforge:~$ echo secret_password > /tmp/password

[1155] grundic@xforge:~$ cat /tmp/password | pssh -x '-tt' --host=f1-linux-1 -I "sudo ls /root"

[1] 11:55:36 [SUCCESS] f1-linux-1

среда, 14 марта 2012 г., 20:12:15 UTC+4 пользователь haarts написал:

[Rick Richardson]

This is an old thread, but for whati its worth only this worked: 

parallel-ssh -o ./ -h legacy-web -I --par=10 --timeout=0 --extra-args='-t -t' "sudo whoami" 

I then entered my password in the next line, and, importantly,  pressed ctrl-d to end the input.  A little weird, but it worked.