sudo requiretty

217 views
Skip to first unread message

Craig White

unread,
Jan 5, 2015, 6:32:54 PM1/5/15
to rundeck...@googlegroups.com
Still playing around with philosophical issues more than actual application issues.

Using FreeIPA and can easily share SSH keys within FreeIPA so I don't have to visit each machine. Also, thinking I don't actually have to be root user if I can sudo.

But it appears that Red Hat and their wisdom requires a tty for sudo...
Defaults    requiretty

I could probably manage that if I want to take ownership of /etc/sudoers on each machine with puppet but I am wondering if there is a configuration switch somewhere within Rundeck so it does an ssh -tt to try to force a tty onto a connection so I can sudo?

How do people get sufficient privileges with Rundeck?  Using root?

Just asking.

Moses Lei

unread,
Jan 5, 2015, 9:16:01 PM1/5/15
to rundeck...@googlegroups.com
My preferred way is to use non root with tty. You can set that up using the script executor (search the archives on this subject). You can also disable requiretty just for the rundeck user but that does not allow signals to propagate to the remote host, which leads to misleading behavior (people kill a job expecting it to terminate, but it keeps running on the last hosts it was running on). 

Moses Lei
--
You received this message because you are subscribed to the Google Groups "rundeck-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rundeck-discu...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Craig White

unread,
Jan 6, 2015, 12:23:52 PM1/6/15
to rundeck...@googlegroups.com
Indeed, I discovered this in the archives
service.NodeExecutor.default.provider=script-exec
plugin.script-exec.default.command=ssh -oStrictHostKeyChecking\=no -tt ${node.username}@${node.hostname} ${exec.command}

and added that to project.properties
and my simple test job...
sudo /sbin/service pe-puppet restart

just spins and spins but never actually happens
ps auxwwf shows

root     23116  0.0  0.0  66688  1260 ?        Ss    2014   0:00 /usr/sbin/sshd
root     17290  0.1  0.0 115644  4556 ?        Ss   10:04   0:00  \_ sshd: rundeck [priv]
1140100557 17297 0.0  0.0 115644 2152 ?        S    10:04   0:00  |   \_ sshd: rundeck@pts/0
root     17298  0.0  0.0 207608  4040 pts/0    Ss+  10:04   0:00  |       \_ sudo /sbin/service pe-puppet restart

minutes after I 'killed' the job on the Rundeck system (though they eventually disappeared)

I'm trying to work this through with FreeIPA as their sudo options for !requiretty and !authenticate seem to be less than fully effective.

Thanks
Reply all
Reply to author
Forward
0 new messages