scripting commands to be run on a remote server

[Brazen]

Basically I have to run a couple commands on the local server, then a couple commands have to be run on a remote server (as su privileges), then a few more commands need to be run locally. I would like to script all this to be initiated from the local server.

For instance, lets say I want to run from a script this command: "sudo touch /etc/afile" or just "touch /etc/afile" if run as root. But I want the script to run on localserver1 and the command should be run on remoteserver1.

Any suggestions?

 

[sourceninja]

ssh -fCT user@server "command to be ran"

 

[Brazen]

Originally posted by: sourceninja
ssh -fCT user@server "command to be ran"

Ok, except that asks for the password of the user on the remote machine, though I suppose I could set up a passwordless key. I don't like having a key out there though that can be used by anyone (I always use passworded keys). Is there a way to make sure that can only be used from one server (probably by ip address)? Or some other way to make ssh log in without a password from one server?

I also get this error when the remote command uses sudo: "sudo: sorry, you must have a tty to run sudo"

 

[Nothinman]

Ok, except that asks for the password of the user on the remote machine, though I suppose I could set up a passwordless key. I don't like having a key out there though that can be used by anyone (I always use passworded keys). Is there a way to make sure that can only be used from one server (probably by ip address)? Or some other way to make ssh log in without a password from one server?

Yes, in the authorized_keys file you can use the from= options to specify where the key can be used from.

I also get this error when the remote command uses sudo: "sudo: sorry, you must have a tty to run sudo"

That's because he used the -T switch to ssh which disables pseudo-tty allocation.

 

[sourceninja]

I'm not sure I'd want a remove server having the ability to run sudo commands on another server. Just doesn't sit well with me.

And yes, keyfiles are the only way to go for passwordless ssh.

 

[Brazen]

Originally posted by: Nothinman

I also get this error when the remote command uses sudo: "sudo: sorry, you must have a tty to run sudo"

That's because he used the -T switch to ssh which disables pseudo-tty allocation.

It also does it when I leave out that option. It looks like I need to get rid of the requiretty option in sudoers, I just need to figure out how to do it for only one user, and allow that one user to only run certain commands with sudo and no password.

Thanks for the heads up on the "from=" option.

Originally posted by: sourceninja
I'm not sure I'd want a remove server having the ability to run sudo commands on another server. Just doesn't sit well with me.

And yes, keyfiles are the only way to go for passwordless ssh.

That's why I'm exploring other options, but if this is the way I have to go, I want to restrict it down as much as possible.

 

[Nothinman]

It also does it when I leave out that option. It looks like I need to get rid of the requiretty option in sudoers, I just need to figure out how to do it for only one user, and allow that one user to only run certain commands with sudo and no password.

You could always try something like '/bin/bash -lc sudo blah'.

 

[sourceninja]

I believe to make sudo use no password for a single user you can do this (providing you know what programs you want to allow) in your sudoers file.

user hostname = NOPASSWD: /path/to/application, /path/to/other/application

 

[Brazen]

Originally posted by: sourceninja
I believe to make sudo use no password for a single user you can do this (providing you know what programs you want to allow) in your sudoers file.

user hostname = NOPASSWD: /path/to/application, /path/to/other/application

yep, that works, thanks

Originally posted by: Nothinman

It also does it when I leave out that option. It looks like I need to get rid of the requiretty option in sudoers, I just need to figure out how to do it for only one user, and allow that one user to only run certain commands with sudo and no password.

You could always try something like '/bin/bash -lc sudo blah'.

Actually just adding the -t option to the ssh command fixed it. I also figure out to disable requiretty for just one user you add this to sudoers: "Defaults:username !requiretty" and then it with work with the -T option to ssh.

Any idea if using -T to disable the tty is any better or not?

 

[sourceninja]

Mostly personal preference I would think. It depends if you want any output back from the remote server.