2

I am trying to remotely run a shell script on an ubuntu host.

I can ssh to the machine using me@host just fine.

On the remote machine I can run sudo commands without needing to input a password.

I can run a shell command on the remote host just fine using rsh

So now I put a sudo command and I get an error

sudo: a terminal is required to read the password; either use the -S option to read from standard input or configure an askpass helper

the command I run is the following:

ssh user@hostIPAddress  "cd /opt/somewhere && sh -v -v ./install.sh"

the install.sh contains one command that requires a sudo command

#!/bin/bash
  
sudo pm2 stop someprocess

How do I get around this error?

reza
  • 355
  • 4
  • 5
  • 11
  • 1
    What is the output of `ssh user@hostIPAddress 'sudo whoami'`? Is this the same user and machine you meant when you said, "I can run sudo commands without needing to input a password"? – bitinerant Dec 30 '20 at 18:52
  • I get root when I run the command you suggested. when I run the whoami without the sudo, I get the user I sshed as – reza Dec 30 '20 at 18:56
  • I'm unable to reproduce your issue. I created /tmp/install.sh with `#!/bin/bash¶echo I am $(sudo whoami)` and ran `ssh myserver "cd /tmp && sh -v -v ./install.sh"` but it worked fine. – bitinerant Dec 30 '20 at 19:09
  • ok, let me check again. – reza Dec 30 '20 at 19:12
  • So if your `ssh user@hostIPAddress 'sudo whoami'` worked without requiring a password, then we have a proof point that you *can* run (at least *some*) sudo commands through ssh successfully, right? That would indicate to me that the problem is likely somewhere in the `sh -v -v install.sh`. As bitinerant said, give his simple-test install.sh a try. If it works, then we need to figure out what in the other `install.sh` is causing password request. Try that `sudo pm2 stop someprocess` in the test file and see if you can isolate the problem to that. – NotTheDr01ds Dec 30 '20 at 20:28
  • I was targetting the wrong machine. Sorry about that. ssh -t user@hostIPAddress "sudo whoami" still asks for password. I think I need to fix the asking of password first. Correct? – reza Dec 30 '20 at 22:18
  • As described in the answer from Kamil Maciorowski, you can just add `-t` to the ssh command and it will prompt you for the password. – bitinerant Dec 30 '20 at 22:25
  • ssh user@IP "whoami" works with out asking for password – reza Dec 30 '20 at 22:37
  • The `-t` is so `sudo` can prompt you for a password. – bitinerant Dec 30 '20 at 22:41
  • I want to eliminate the need to enter a password. That is the problem I need to solve – reza Dec 30 '20 at 22:45
  • Then you need to edit `sudoers`, but with care. See [How to run an application using sudo without a password?](https://askubuntu.com/a/39294). Note "You can replace the path to an executable with "ALL" if you choose, giving you complete passwordless sudo." – bitinerant Dec 30 '20 at 22:55
  • that is exaclty what I was looking for. – reza Dec 30 '20 at 23:01
  • so now how do I give you credit for the response? – reza Dec 30 '20 at 23:02
  • 1
    I'm downvoting this question because it states "on the remote machine I can run sudo commands without needing to input a password" and then the accepted answer is exactly "how to run a sudo command without a password". The explicit question is "How do I get around this [`a terminal is required`] error?" and the accepted answer has nothing to do with it. Please [edit] and **make the question coherent with what you accepted**. I will revoke my vote and delete my answer then. – Kamil Maciorowski Dec 31 '20 at 00:02

2 Answers2

6

Changing the behavior of ssh

When you run ssh without a command and there is a local pseudo-terminal, the tool allocates a pseudo-terminal on the remote side automatically. Usually you access an interactive remote shell this way, so allocating a terminal is the right thing to do.

When you provide a remote command to ssh, it assumes the command is not interactive. It doesn't provide a pseudo-terminal to the command. This happens in your case, sudo finds no terminal.

You can explicitly tell local ssh to allocate a pseudo-terminal on the remote side:

-t
Force pseudo-terminal allocation. This can be used to execute arbitrary screen-based programs on a remote machine, which can be very useful, e.g. when implementing menu services. Multiple -t options force tty allocation, even if ssh has no local tty.

(source)

 ssh -t user@hostIPAddress  "cd /opt/somewhere && sh -v -v ./install.sh"

Note when you do this, you can no longer tell the stdout and stderr of ./install.sh apart locally. Read the "broader picture" part of this another answer of mine.

Changing the behavior of sudo

sudo suggests alternative solutions that depend solely on sudo itself:

sudo: a terminal is required to read the password; either use the -S option to read from standard input or configure an askpass helper

These are:

  • read from standard input: sudo -S (see this answer);
  • configure an askpass helper: sudo -A (see the second part of this answer).

Both require an argument to sudo, so you would need to change the script. It's easy to lessen security by using any of these options. Strongly prefer ssh -t. Note in general sudo may be configured not to work without a terminal anyway.

Kamil Maciorowski
  • 69,815
  • 22
  • 136
  • 202
  • ssh -t user@hostIPAddress "sudo whoami" still asks for password – reza Dec 30 '20 at 22:17
  • @reza Your explicit question is "How do I get around this error?" and what you call "error" is `sudo: a terminal is required …`. My answer solves exactly this. – Kamil Maciorowski Dec 30 '20 at 22:26
  • ssh user@IP "whoami" works with out asking for password – reza Dec 30 '20 at 22:37
  • I wish I could rephrase my question but it is too late to change the title ... ssh -t user@IP "sudo whoami" [sudo] password for ubuntu: – reza Dec 30 '20 at 22:38
  • `ssh -t ` changed my life. So many useless tutorials whereas this is so simple! Lesson of the day: **`RTFM`** – Olivier Pons Jan 27 '22 at 19:57
4

If you don't want sudo to prompt for a password, after understanding the security implications, you can edit the sudoers file. However, it is not safe to edit the file directly. Instead, use:

sudo visudo

To allow running your specific program without a password, add a line to sudoers in the format:

YOURNAME ALL = NOPASSWD: /path/to/pm2 stop someprocess

Above, replace YOURNAME with your login on that system, and /path/to/pm2 with the full path to that program (output of which pm2).

If you want to allow running pm2 passwordless with any parameters, not just stop someprocess, then delete those last 2 words from the line.

For more on editing sudoers, see How to run an application using sudo without a password and man sudoers and man visudo.

bitinerant
  • 720
  • 4
  • 10