send su password in ssh

tmhossain has asked for the wisdom of the Perl Monks concerning the following question:

I am trying develop a perl module to ssh to a host as one user and then switch to root and do some stuff. Here is the piece of code for switching user part.

#-- set up a new connection
$ssh = Net::SSH::Perl->new("$host", debug => 1, use_pty => 1, interact
+ive => 1,  identity_files => [], protocol=>'2,1');
#-- authenticate
#print "Loggin onto $host...\n" ;
#  Authenticate using login/password:
$ssh->login($user, "$pass");
my($stdout1, $stderr1, $exit1) = $ssh->cmd("su -", ["$mypassword\r\n"]
+);
print "error= $stderr1\n" ;
[download]

I am trying to send the switch user to root (su -) command and trying to send the password string with /r/n. I am getting the error message: incorrect password. May be the password is sent too early and not recognized.

Does any one know solution to this? If you have any other idea on how to implement it please share.

Comment on send su password in ssh Download Code

Replies are listed 'Best First'.
Re: send su password in ssh by sundialsvc4 (Abbot) on Sep 27, 2010 at 21:34 UTC
A far better strategy, if you absolutely must use a programmatic login or `su`, is to arrange for login to occur using SSH public/private keys. The script would present its key to avoid the possibility of an actual password challenge. Naturally, I am extraordinarily uncomfortable with the idea of a script logging on as `root`... Almost as uncomfortable as I am with the notion of a script possessing credentials that would allow (anyone) to do so.
Re^2: send su password in ssh by dwm042 (Priest) on Sep 28, 2010 at 21:56 UTC
sundialsvc++!! Login as an untrusted user and drop stuff off. The working user (probably does not need to be root) can poll for the submission and then "do stuff". crontab is your friend here. David.	[reply]
Re: send su password in ssh by salva (Canon) on Sep 28, 2010 at 08:09 UTC
The script below (copied from Net::OpenSSH distribution) does exactly what you want. It uses Net::OpenSSH to establish the connection to the remote host and Expect to handle the interaction with `sudo`. #!/usr/bin/perl use strict; use warnings; use Net::OpenSSH; use Expect; select STDOUT; $\| = 1; select STDERR; $\| = 1; my $password = $ARGV[0]; my $timeout = 20; my $debug = 0; my $ssh = Net::OpenSSH->new('test@127.0.0.1', password => $password); # my ($pty, $pid) = $ssh->open2pty("sudo cat /etc/shadow") # After a successful sudo operation, it doesn't request the password # again until some time after, handling this undeterministic behaviour # is a pain in the ass, so we just clear any cached credentials # calling "sudo -k" first as follows: my ($pty, $pid) = $ssh->open2pty("sudo -k; sudo cat /etc/shadow") or die "open2pty failed: " . $ssh->error . "\n"; my $expect = Expect->init($pty); $expect->raw_pty(1); $debug and $expect->log_user(1); $debug and print "waiting for password prompt\n"; $expect->expect($timeout, ':') or die "expect failed\n"; $debug and print "prompt seen\n"; $expect->send("$password\n"); $debug and print "password sent\n"; $expect->expect($timeout, "\n") or die "bad password\n"; $debug and print "password ok\n"; while(<$pty>) { print "$. $_" } [download] Note that Net::OpenSSH does not work on Windows.	[reply] [d/l] [select]
Re: send password in ssh by girarde (Hermit) on Sep 27, 2010 at 20:58 UTC
Depending on the O/S you might want to omit the `\r` and just use `\n`	[reply] [d/l] [select]
Re: send password in ssh by ww (Archbishop) on Sep 27, 2010 at 21:12 UTC
Highly speculative reply (since I don't use `Net::SSH::Perl`) ... If there's any substantive basis for your supposition, "(m)ay be the password is sent too early and not recognized," then it may be worth your while to `sleep 1` (or more) between sending the `su -` and the password (or, if that's not feasible, separate into two transmissions. Any system I'm familiar with will throw up a prompt for the password). Alternately, you may want to consider whether there's a clue in the disparity between narrative and code: "/r/n" versus `\r\n`.	[reply] [d/l] [select]
Re: send su password in ssh by ctilmes (Vicar) on Sep 27, 2010 at 21:53 UTC
I agree with the discomfort expressed by sundialsvc4 about doing it at all, but with that caveat, if you do need/want to do it that way, use the SSH facilities to limit the use of the key to come from only a specific IP address, and only allow it to be used to run a specific command.	[reply]
Re^2: send su password in ssh by sundialsvc4 (Abbot) on Sep 28, 2010 at 01:11 UTC
I believe that the tool to be used here is `sudo`. If I may hazard a general statement here... I rather think that too many developers “routinely” have access to `root`. And they (so to speak) “lazily” write code that “merely assumes it.” They write code that does things as they would (can...) do it. And this quickly leads to trouble. The “principle of least privilege” needs to apply to every privileged thing that you do. I happen to think that it is an excellent practice to dictate that no developer shall have access to `root`. If you impose that restriction upon them (also building the restriction that “developers have no way to reach the production databases, directories and files,” no matter how loudly they whine), that restriction becomes reflected in their code. Necessity is the mother of invention. Even a self-imposed version of that discipline is beneficial. This point-of-view needs to be something that is “in your blood.”
Re: send su password in ssh by chb (Deacon) on Sep 28, 2010 at 07:05 UTC
Maybe something like Net::SSH::Expect is better suited for this kind of programmed remote interaction?	[reply]
Re^2: send su password in ssh by steve (Deacon) on Sep 30, 2010 at 15:19 UTC
I have used Net::SSH::Expect to perform this task with both key-based and password authentication. Any expect-capable script should resolve any of your timing concerns.	[reply]


more useful options
	PerlMonks