In my Foreman instance, I've set up job execution (Run job) to work. On my
hosts, I have ssh PermitRootLogin set to no, as it should be. We log into
hosts with our own usernames, then run commands via sudo. Thus, in order
to get Run job to work properly, in Foreman I set Administer > Settings >
RemoteExecution > remote_execution_effective_user=root, remote_execution_effective_user_method=sudo,
and remote_execution_ssh_user=asudouser. The only way I could see to make
this work was to set NOPASSWD in asudouser's sudoer file directive.
Clearly, this flies in the face of best practices. Is there a way for me
to pass asudouser's sudo password via Foreman, or is there some more secure
way to make Run job work?
I don't know of a way of achieving what you are after, however, I question the "more secure" sentiment that is driving this. Sudo is specifically designed to try and prevent what you are trying to do because it opens up doors for people to gleam passwords and leads to other bad habits. In fact, you cannot just "pipe" a password to sudo normally (you have to pass the -S flag).
So I disagree that using NOPASSWD "clearly … flies in the face of best practices". I also disagree that setting PermitRootLogin to no is "as it should be". The "without-password" option is perfectly acceptable in many situations when using SSH keys - especially when you include "from=" options in your authorized_keys file and such.
If you have company policies which require a specific design that is one thing, but in general keep in mind that there are many different levels of "secure" and different people/organizations have different needs/tolerances. For example, allowing Foreman to ssh directly as root is fine in my case because the logging/auditing in Foreman itself is sufficient to meet our compliance requirements.
Regards,
j
···
From: "Diggy"
To: "Foreman Users"
Sent: Monday, March 27, 2017 9:54:37 AM
Subject: [foreman-users] Run job - send sudo password from Foreman
Hello, all.
In my Foreman instance, I’ve set up job execution (Run job) to work. On my hosts, I have ssh PermitRootLogin set to no, as it should be. We log into hosts with our own usernames, then run commands via sudo. Thus, in order to get Run job to work properly, in Foreman I set Administer > Settings > RemoteExecution > r emote_execution_effective_user=root, remote_execution_effective_user_method=sudo, and remote_execution_ssh_user=asudouser. The only way I could see to make this work was to set NOPASSWD in asudouser’s sudoer file directive. Clearly, this flies in the face of best practices. Is there a way for me to pass asudouser’s sudo password via Foreman, or is there some more secure way to make Run job work?