[aklug] automating remote access using ssh for root level info retrieval?

From: techno curmudgeon <technocurmudgeon@gmail.com>
Date: Tue Apr 23 2013 - 15:34:30 AKDT

Greets all.

I need a 'basics-202' question answered; it's been a while.

From a cronjob, how do I automatically ssh to a remote box to retrieve
information that normally requires root equivalence to see?

Details:

all of my boxes have
    1. root logins disabled via /etc/login.block.
    2. root login via ssh blocked in /etc/ssh/sshd_config:
        PermitRootLogin no

    3. all ssh logins are via pub/priv keypair. Manual passwords are
disabled.
        PasswordAuthentication no

    4. I've set up a limited uid 'automate' with a keypair that is used for
automated ssh connectivity tasks (for use in cron jobs,
           for example). 'automate' is obviously not a sudoer or in wheel
or a group 0 userid.

All well and good (and probably incomplete, but that's another post).

But...

There are things that apparently require root equivalence to do, such as
'netstat -patn' to look at -all- tcp connections.

-------
$ netstat -patn

(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (servers and established)

<snip>
--------

or

('apt-mirror' is hostname of remote box)
---------

$ ssh apt-mirror netstat -patn
(No info could be read for "-p": geteuid()=1008 but you should be root.)
Active Internet connections (servers and established)

<snip>
---------

If your are in an interactive session, then to look at all tcp connections
you type:

$ sudo netstat -patn

But I don't think this can be done over an automated ssh session.

-----
$ ssh -t apt-mirror sudo netstat -patn
[sudo] password for automate: <hangs here>
-----

For a couple of reasons:

1. sudo interactively wants the 'automate' password
2. 'automate is not a sudoer anyway.

I can probably mickeymouse something to do this, but I'd really rather do
it right. (Is ssh even the right approach for this type of activity?)
Question is, what is the proper way to do something like this?

Thanks!

---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Tue, 23 Apr 2013 15:34:30 -0800

This archive was generated by hypermail 2.1.8 : Tue Apr 23 2013 - 15:34:40 AKDT