0

We are thinking of using a batch file as shown below for our software deployment. While we don't need high security we are still wondering if there are obvious security issues with this approach.

@echo off
set /p PASSWORD="Please enter sudo password:"
ssh -t user@host "echo %PASSWORD% | sudo -S su;sudo docker container ls"

We are running the batch file on our dev machines (Windows) to deploy docker containers to Linux machines. While running the file we are prompeted for the sudo password which is then used in the SSH command. The restart of the docker containers and some other commands need to be run as sudo after the deployment. The users on the Linux machines do not have sudo access nor the root password.

If the SSH command is executed like this, is this logged somewhere, e.g. in a SSH command history or the history of the user?

Are there improvements we could make to this approach?

For sure there are more elaborate ways to do this, but for now we need a solution as simple as this which is simple and pragmatic.

Joe
  • 143
  • Relevant: Is there ever a good reason to run sudo su? – terdon Jan 11 '23 at 17:10
  • Can't you just ssh as root? I mean, if you need to run something as root, and you are not too paranoid about security, can you allow root ssh access and so avoid the need to ever echo the root password? – terdon Jan 11 '23 at 17:11
  • 2
    The password will be visible in a process listing (ps). You could circumvent this entire thing either by configuring /etc/sudoers to allow your docker commands to be run with sudo without a password (no need for root anymore), or setup docker to run as non-root user. – Panki Jan 11 '23 at 17:22
  • Cross-posted at https://stackoverflow.com/questions/75085340/is-it-secure-to-inject-a-password-from-a-batch-script-variable-in-windows-to-a-s but closed and slated to be deleted eventually. Until then, there are a couple of hopefully useful additional comments there. – tripleee Jan 14 '23 at 11:35

0 Answers0