Posted: 2014-10-17 22:31
I want to access files on remote servers where I'm just allowed to do
sudo su - TARGETUSER
Unfortunately I have to enter my password for sudo.
I found out that I can use SCP as file protocol and as shell I use
SUDO_ASKPASS=./mypass sudo -A su - TARGETUSER
mypass simply contains
echo 'My Secret Password'
This works fine except for the fact that ./mypass has to contain my password.
Does anyone here have any tipp for me, how I can provide the password to sudo without having to store it in clear text?
Note: I can't change the configuration of sudo or anything of the system.
Posted: 2014-10-20 07:04
To answer my own question and maybe to raise some attention of others who might have better ideas, here is what I've come up with.
I created a script in my target host's home directory containing this:
if [ -t 0 ] ; then # interactive
if [ -r $0.fifo ] ; then rm $0.fifo ; fi
mkfifo -m 600 $0.fifo
echo -n "Password for upcoming winscp session: "
echo -n "Waiting for connection..."
echo $p > $0.fifo
elif [ -r $0.fifo ] ; then # non interactive - fifo exists
In my winscp settings for the host I have now this configured as shell:
SUDO_ASKPASS=mypass sudo -A su - TARGETUSER
Before I invoke the winscp session I log in to the target host starting "mypass", which will then ask me for the password and put it into a fifo. As soon as the fifo was read, I get the message "Connected" and the fifo gets removed.
But while the script is waiting for the connection, after I entered my password, I start winscp and connect to my host. The sudo command of my shell-commands starts "mypass" and notices that it's non-interactive and that a password is waiting in the fifo. It reads the password, echos it to stdout (for sudo to read) and deletes the fifo. I delete the fifo twice just to be sure that it's removed, either by the writer or by the reader.
You can post new topics in this forum
And it's free!