Copy file via scp from a remote machine that need root access (with remote root access disabled)

Question

I'm on the machine A, and I want to run a bash script from A to copy some files from B via scp. Those files are stored in a path that needs root access to be accessed but root remote access is disabled for ssh in B. I cannot change that configuration.

Standard scp statements do not work since I'm not asked to type B's root password during scp execution on A.

How can I do?

copy the file somewhere else where you have an access and then use scp. — Jakuje, Jul 18 '16 at 12:02
ok, but how can I copy root protected on B file running a script from A? (not via shell) — floatingpurr, Jul 18 '16 at 12:04
probably you will need to configure sudo for that. It can work also non-interactive, without password or authenticate you using different means (pam_ssh_agent_auth). — Jakuje, Jul 18 '16 at 12:05
Then you will probably have to go down to use some expect script. — Jakuje, Jul 18 '16 at 13:31
Have you familiarized with ansible? One simple ansible can do that, If you need, I will post here a full step by step to install and create a ansible playbook to do it using a simple user with sudo privileges. — Franciscon Santos, Jul 18 '16 at 15:15
@Gilles, the question states server sshd_config can not be changed, yet this question was marked as duplicate of a question where all scoring answers instruct to change sshd_config. Certainly answers in the other question may be useful, but IMO this is NOT a duplicate of that question. — AnyDev, Jul 20 '16 at 01:08
@AndrDevEK The accepted answer also discusses the case where the server configuration can't be changed, and there's another answer that explains how to set up a tunnel. I don't think we need to duplicate the answers here. — Gilles 'SO- stop being evil', Jul 20 '16 at 07:35

AnyDev · Answer 1 · 2016-07-18T23:07:41.380

I could get this to work on my box, but I'm not sure if sudoers option requiretty would break it.

On machine B create program that sudo will use to ask for passwords. e.g. /home/myname/askpass.sh, chmod it +x

#!/bin/bash
echo "my_password"

On machine A create connect script that will establish the ssh connection for the scp and inject sudo + related commands into remote command. e.g. call it ./fakessh.sh, chmod it +x

#!/bin/bash

oldargs=( $@ )

newargs=( )

while : ; do
  [ "${oldargs[0]}" == "scp" ] && break

  newargs+=( "${oldargs[0]}" )
  oldargs=( "${oldargs[@]:1}" )
done

newargs+=( 'export SUDO_ASKPASS=/home/myname/askpass.sh' \; exec sudo -A -- "${oldargs[@]}" )

exec ssh "${newargs[@]}"

Note that the script above references /home/myname/askpass.sh, update path as required.

Now run scp almost normally:

scp -S ./fakessh.sh user@hostname:/etc/shadow ./

This does work for me. YMMV.

I can think of other hacks if you can run something like ncat or socat with sudo, and point scp at the custom listening port, but that's getting silly from security point.

Ok but in that way I have to type unencrypted password in the file — floatingpurr, Jul 19 '16 at 10:51
@superciccio14 yes, example as it was written is far from great. You can get /home/myname/askpass.sh to read password from a named pipe and supply the password to that named pipe in another ssh session. You probably could pass the password via environment, which is a little better than saving it in a file but still not as good as with a named pipe because it will remain in memory longer and be readable by ps and such tools. I'm afraid if box is not under your control then no method is safe. — AnyDev, Jul 20 '16 at 00:51

Copy file via scp from a remote machine that need root access (with remote root access disabled)

1 Answers1