{"id":287,"date":"2013-03-11T00:04:43","date_gmt":"2013-03-11T00:04:43","guid":{"rendered":"https:\/\/www.nicktailor.com\/?p=287"},"modified":"2022-10-21T11:59:54","modified_gmt":"2022-10-21T11:59:54","slug":"how-to-pass-a-password-to-su-as-a-variable-in-script","status":"publish","type":"post","link":"https:\/\/nicktailor.com\/tech-blog\/how-to-pass-a-password-to-su-as-a-variable-in-script\/","title":{"rendered":"How to pass a “password” to su as a variable in a script"},"content":{"rendered":"

How to pass a “password” to su as a variable in script and execute tasks to an array of hosts<\/strong><\/span><\/p>\n

Some of you may work for organizations that do access control for linux servers. In which case they do not use ssh keys for root, and are still doing the unthinkable allowing the use of password authentication.<\/p>\n

So this means you have to log into a server and the \u201csu \u2013\u201c to root before you can execute commands, and if you have an array of servers this could be tedious and time consuming. I was told by everyone that you can\u2019t pass a \u201cpassword\u201d as a variable in script to su, as it\u2019s not allowed.<\/p>\n

Guess what\u2026that\u2019s a lie, because I\u2019m going to show you how to do it securely.<\/p>\n

 <\/p>\n

    \n
  1. So you need to install something called expect on all your servers. This tool is used for interactive testing of scripts. It makes the script pass human typing where needed. You can pass variables to this and use it as a wrapper inside another script.\n
      \n
    1. \u201cYum install expect\u201d on debian \u201capt-get install expect\u201d<\/em><\/li>\n<\/ol>\n<\/li>\n
    2. Now what you want to do is log into your server as the user not root, and inside the home directory you want to setup the following to scripts\n
        \n
      1. Create a file called gotroot<\/li>\n
      2. Vi \u00a0\u00a0gotroot<\/em>, add the following below and save.<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n

        The script below is a wrapper script, that you will use inside another bash script later in this tutorial.<\/p>\n

        Usage would be<\/p>\n

        .\/gotroot <user> <host><userpass><rootpass><\/em><\/p>\n

        These arguments will then get passed to the remote host and it will execute the send commands below in our case \u201cls \u2013al\u201d, and then once its done it will exit and log out of the server and return you to the host you started from. This script does not account for ssh fingerprinting, so you will need to ensure you fingerprint your user to each server before using this script. I will add fingerprinting in future, just got lazy.<\/p>\n

        What I like to do is..I will write a bash script that it going to do a bunch tasks, scp it over all the servers as my user, then comment out the ls \u2013al section and uncomment the section where you can tell to run the bash script. This will then log in to the server and su to root, execute your bash script, exit and log\u00a0 out.<\/p>\n

        ========================<\/em>
        \n #!\/usr\/bin\/expect -f<\/em>
        \n set mypassword [lindex $argv 2]<\/em>
        \n set mypassword2 [lindex $argv 3]<\/em>
        \n set user [lindex $argv 0]<\/em>
        \n set host\u00a0 [lindex $argv 1]<\/em>
        \n spawn ssh -tq $user@$host<\/em><\/p>\n

        ########################################################<\/em><\/p>\n

        #this section is only needed if you are NOT using ssh keys<\/em>
        \n #expect “Password:”<\/em>
        \n #send “$mypassword\\r”<\/em>
        \n #expect “$ “<\/em><\/p>\n

        #########################################################<\/em><\/p>\n

        send “su -\\r”<\/em>
        \n expect “Password:”<\/em><\/p>\n

        send “$mypassword2\\r”<\/em>
        \n expect “$ “<\/em><\/p>\n

        \u00a0<\/em><\/p>\n

        #this will execute command on the remote host<\/em><\/p>\n

        send “ls -al\\r”<\/em>
        \n expect “$ “<\/em><\/p>\n

        \u00a0<\/em><\/p>\n

        #this will execute script you want to run on remote host<\/em>
        \n #send “\/home\/nicktailor\/script.pl\\r”<\/em>
        \n #expect “$ “<\/em><\/p>\n

        \u00a0<\/em><\/p>\n

        #this command will exit the remote host<\/em>
        \n send “exit\\r”<\/em>
        \n send “exit\\r”<\/em><\/p>\n

        interact<\/em><\/p>\n

        ==============================================<\/p>\n

        How to wrap this script so it will do any array of hosts within bash.<\/span><\/strong><\/p>\n

          \n
        1. Create a file called host\n
            \n
          1. Vi \u00a0hosts and the following below in it.<\/li>\n
          2. Also created a file called logs.txt \u201ctouch logs.txt\u201d<\/em><\/li>\n<\/ol>\n<\/li>\n<\/ol>\n

            This script will all you to use the above script as a wrapper and it will go and execute the command you want from got root to each host in the servers variable listed below.<\/p>\n

            In addition you it will prompt you the user name and root pass, and will not show he passwords you enter, it will prompt you the same way if you were to do \u201csu \u2013\u201c. It will then take those credentials and use it for each host securely, the passwords will not show up in logs or history anywhere, as some security departments would have issues with that.<\/p>\n

            So you simply type \u201c.\/hosts\u201d<\/p>\n

            It will prompt you for whatever it requires to continue. Just be sure that you add the array of hosts you want to execute the tasks on, and that you have setup a ssh fingerprint as your user first. Expect scripts are extremely easy to learn, once you play with this.<\/p>\n

            =======================================
            \n#!\/bin\/bash<\/em><\/p>\n

            #########################<\/em><\/p>\n

            #some colour constants #<\/em><\/p>\n

            #########################<\/em><\/p>\n

            \u00a0<\/em><\/p>\n

            CLR_txtblk=’\\e[0;30m’ # Black – Regular<\/em>
            \nCLR_txtred=’\\e[0;31m’ # Red<\/em>
            \nCLR_txtgrn=’\\e[0;32m’ # Green<\/em>
            \nCLR_txtylw=’\\e[0;33m’ # Yellow<\/em>
            \nCLR_txtblu=’\\e[0;34m’ # Blue<\/em>
            \nCLR_txtpur=’\\e[0;35m’ # Purple<\/em>
            \nCLR_txtcyn=’\\e[0;36m’ # Cyan<\/em>
            \nCLR_txtwht=’\\e[0;37m’ # White<\/em>
            \nCLR_bldblk=’\\e[1;30m’ # Black – Bold<\/em>
            \nCLR_bldred=’\\e[1;31m’ # Red<\/em>
            \nCLR_bldgrn=’\\e[1;32m’ # Green<\/em>
            \nCLR_bldylw=’\\e[1;33m’ # Yellow<\/em>
            \nCLR_bldblu=’\\e[1;34m’ # Blue<\/em>
            \nCLR_bldpur=’\\e[1;35m’ # Purple<\/em>
            \nCLR_bldcyn=’\\e[1;36m’ # Cyan<\/em>
            \nCLR_bldwht=’\\e[1;37m’ # White<\/em>
            \nCLR_unkblk=’\\e[4;30m’ # Black – Underline<\/em>
            \nCLR_undred=’\\e[4;31m’ # Red<\/em>
            \nCLR_undgrn=’\\e[4;32m’ # Green<\/em>
            \nCLR_undylw=’\\e[4;33m’ # Yellow<\/em>
            \nCLR_undblu=’\\e[4;34m’ # Blue<\/em>
            \nCLR_undpur=’\\e[4;35m’ # Purple<\/em>
            \nCLR_undcyn=’\\e[4;36m’ # Cyan<\/em>
            \nCLR_undwht=’\\e[4;37m’ # White<\/em>
            \nCLR_bakblk=’\\e[40m’ \u00a0 # Black – Background<\/em>
            \nCLR_bakred=’\\e[41m’ \u00a0 # Red<\/em>
            \nCLR_bakgrn=’\\e[42m’ \u00a0 # Green<\/em>
            \nCLR_bakylw=’\\e[43m’ \u00a0 # Yellow<\/em>
            \nCLR_bakblu=’\\e[44m’ \u00a0 # Blue<\/em>
            \nCLR_bakpur=’\\e[45m’ \u00a0 # Purple<\/em>
            \nCLR_bakcyn=’\\e[46m’ \u00a0 # Cyan<\/em>
            \nCLR_bakwht=’\\e[47m’ \u00a0 # White<\/em>
            \nCLR_txtrst=’\\e[0m’ \u00a0 \u00a0# Text Reset<\/em><\/p>\n

            #<\/em><\/p>\n

            #########################<\/em><\/p>\n

            SERVERS=\u201dhost1 host2 host3\u201d<\/em>
            \n#echo -e “${CLR_bldgrn}Enter Servers (space seperated)${CLR_txtrst}”<\/em><\/p>\n

            #read -p “servers: ” SERVERS<\/em>
            \n echo -e “${CLR_bldgrn}Enter User${CLR_txtrst}”<\/em>
            \nread -p “user: ” USERNAME<\/em>
            \necho -e “${CLR_bldgrn}Enter Password${CLR_txtrst}”<\/em>
            \nread -p “password: ” -s USERPW<\/em>
            \necho<\/em>
            \necho -e “${CLR_bldgrn}Enter Root Password${CLR_txtrst}”<\/em>
            \nread -p “password: ” -s ROOTPW<\/em>
            \necho <\/em>
            \nfor machine in $SERVERS; do<\/em>
            \n~\/gotroot ${USERNAME} ${machine} ${USERPW} ${ROOTPW} \u00a02>&1 | tee -a logs.txt<\/em>
            \ndone<\/em><\/p>\n

            ======================================<\/p>\n

            Hope you enjoyed this tutorial and if you have any questions email nick@nicktailor.com<\/p>\n","protected":false},"excerpt":{"rendered":"

            How to pass a “password” to su as a variable in script and execute tasks to an array of hosts Some of you may work for organizations that do access control for linux servers. In which case they do not use ssh keys for root, and are still doing the unthinkable allowing the use of password authentication. So this meansRead More …<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[58,138],"tags":[],"class_list":["post-287","post","type-post","status-publish","format-standard","hentry","category-centos","category-linux"],"_links":{"self":[{"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/posts\/287","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/comments?post=287"}],"version-history":[{"count":7,"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/posts\/287\/revisions"}],"predecessor-version":[{"id":1618,"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/posts\/287\/revisions\/1618"}],"wp:attachment":[{"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/media?parent=287"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/categories?post=287"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/tags?post=287"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}