Project

General

Profile

Actions

Feature #21731

closed

Extend Remote Execution SSH provider with the ability to provide password to escalate privileges instead of passwordless sudo

Added by Ivan Necas over 6 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Fixed in Releases:
Found in Releases:

Description

Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1515888

Description of problem:
To be able to run commands that require escalated privileges (sudo), it is currently required to set sudo rule "NOPASSWD" for the SSH user on the target host. (For Red Hat IdM users, the same thing can be achieved with a sudo rule with the sudo option "!authenticate".)

"NOPASSWD" (i.e. passwordless sudo) is not acceptable in all environments and therefore it would be useful to be able to provide a password used for privilege escalation at the remote host.

As a reference, this would be similar to the "--ask-become-pass" option in Ansible.

Version-Release number of selected component (if applicable): 6.2.12

How reproducible: Always

Steps to Reproduce:
1. Setup REx with a user that is not root, e.g. by following https://access.redhat.com/solutions/2650071
2. Notice that you have to set "test-user ALL=NOPASSWD: ALL" in your sudoers config

Suggested solution:
In the settings for REx (Administer -> Settings -> RemoteExecution) there are currently 3 settings concerning user and privilege escalation:

remote_execution_ssh_user: testuser
remote_execution_effective_user: root
remote_execution_effective_user_method: sudo

My suggestion is to add another setting, e.g:

remote_execution_sudo_password: ***

That password is then used to escalate privileges at the remote host after authenticating with the user specified in "remote_execution_ssh_user".


Related issues 1 (0 open1 closed)

Related to Foreman Remote Execution - Bug #24113: undefined method `build' for ForemanRemoteExecutionCore::FakeScriptRunner:Class (NoMethodError) with fake executorClosedIvan Necas06/29/2018Actions
Actions #1

Updated by Ivan Necas over 6 years ago

  • Subject changed from Extend Remote Execution SSH provider with the ability to provide password to escalate privileges instead of passwordless sudo to Extend Remote Execution SSH provider with the ability to provide password to escalate privileges instead of passwordless sudo
  • Target version set to 113
Actions #2

Updated by The Foreman Bot almost 6 years ago

  • Status changed from New to Ready For Testing
  • Assignee set to Anonymous
  • Pull request https://github.com/theforeman/foreman_remote_execution/pull/342 added
Actions #3

Updated by Anonymous almost 6 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100
Actions #4

Updated by The Foreman Bot almost 6 years ago

  • Pull request https://github.com/theforeman/foreman_remote_execution/pull/351 added
Actions #5

Updated by Ivan Necas over 5 years ago

  • Related to Bug #24113: undefined method `build' for ForemanRemoteExecutionCore::FakeScriptRunner:Class (NoMethodError) with fake executor added
Actions

Also available in: Atom PDF