Bash library for executing remote sudo commands while preserving the tty.
With μpkg
upkg install -g orbit-online/ssh-sudo.sh@<VERSION>
ssh_sudo works by creating 3 temporary files on the remote.
The first 2 are owned and only readable by $SSH_USER:
- A fifo (named pipe) that outputs the sudo password
- A sudo
askpassscript that reads from the fifo and outputs to stdout
The third is owned and only readable by $SSH_SUDO_USER. It contains
the commands that are passed to ssh_sudo.
All 3 files are deleted after the commands have completed.
The sudo password is only ever transmitted to the remote (and any child process) via stdin piping, meaning it will not be visible in the processlist as an argument at any point in time and is never saved to disk.
None of the variables need to be exported, meaning none of the childprocesses your script runs will be able to see the sudo password.
Performance can be increased considerably by using an SSH control master:
SSH_OPTS=(
-o ControlMaster=auto
-o ControlPath="$HOME/.ssh/control/myscript-%r@%h:%p"
-o ControlPersist=120s
-o ConnectTimeout=10s
)
Do note that the control master decides the SSH options. Meaning if the SSH
connection is started without -t, any subsequent connections of the same
control master will not have a pseudo-terminal allocation even if -t is used.
In that case a connection on a separate ControlPath must be established.
Run a command as root on the remote while preserving stdin, stdout, and stderr.
Run a command as $SSH_USER on the remote.
Run a command as root on the remote but do not preserve stdin (quicker).
These variables do not need to be exported, you can define them in your script as global variables and then use the above functions.
Remote SSH user (required)
Remote SSH host (required)
sudo password for $SSH_USER (required)
Remote user to sudo to, defaults to root (optional)
An array of options to pass to all ssh invocations (optional)