How to run sudo with parallel ssh

Question

Linux: ubuntu 14.04.3 LTS

cat /tmp/passfile
ABCxyz123

sshpass -f /tmp/passfile parallel-ssh -I -A -h hostlist.txt "sudo -S ls -l /root" < /tmp/passfile

and the method described here in google discussion groups.google outputs the error as:

[1] 01:07:25 [FAILURE] 10.0.4.194 Exited with error code 255
[2] 01:07:25 [FAILURE] 10.0.4.205 Exited with error code 255

in the remote server I'm trying to connect its /var/log/auth.log has below message

Sep 24 19:20:52 ubu1401 sshd[5765]: Accepted password for ubuntu from 10.0.4.1 port 55019 ssh2
Sep 24 19:20:52 ubu1401 sshd[5765]: pam_unix(sshd:session): session opened for user ubuntu by (uid=0)
Sep 24 19:21:26 ubu1401 sshd[5765]: pam_unix(sshd:session): session closed for user ubuntu
Sep 24 19:21:26 ubu1401 sudo: pam_unix(sudo:auth): conversation failed
Sep 24 19:21:26 ubu1401 sudo: pam_unix(sudo:auth): auth could not identify password for [ubuntu]
Sep 24 19:22:25 ubu1401 sshd[5791]: Connection closed by 10.0.4.1 [preauth]

Answer 1

To provide the password as securely, as possible, try this version (pssh on CentOS, Fedora and parallel-ssh on Ubuntu, Debian):

stty -echo; printf "Password: "; read PASS; stty echo; echo "${PASS}" | \ ssh <USER>@localhost "sudo -S dmesg"

Update (thanks @chutz):

read -s -p "Password: "; echo "${REPLY}" | \ ssh <USER>@localhost "sudo -S dmesg"

and then adapt it to pssh like this (updated accordingly):

read -s -p "Password: "; echo "${REPLY}" | \ pssh -H <USER>@localhost -o /tmp/output -I "sudo -S dmesg"

I use the same for ad-hoc collection of dumps from multiple servers. Stop it using Ctrl + C as usual. It will show [FAILURE] <HOST> Interrupted, but that is just because tcpdump would otherwise run infinitely - the output is still in the usual location. The -t 0 option is so the connection doesn't time out. I could also use tmux or screen and collect the dumps later.

read -s -p "Password: "; echo "${REPLY}" | \ pssh -h <HOSTFILE> -o /tmp/output -t 0 -I "sudo -S tcpdump -l -nn -vv -i any not port 22"

Make sure to include the correct ssh user and that you connected to those servers before. Testing things locally usually prevents taking down the entire fleet of servers. You can use the 127.0.0.X addresses instead of localhost to approximate multiple hosts.

Answer 2

have you tried running this via echoing the password in the shell?

echo "echo 'yourpassword'; sudo -S -c 'ls -l /root'"|pssh -I -H hostlist.txt

Answer 3

I would like to recommend my simple tool "spssh.sh" ( https://github.com/tangruize/spssh ) , which is simple (only 36 sloc) but useful enough. Unlike parallel-ssh, spssh.sh is interactive, and supports parallel/separate cmd executing. Hope it helps!

Answer 4

Using GNU Parallel you can do something like:

#!/bin/bash

runsshsudo() {
  cat /tmp/passfile |
    sshpass -f /tmp/passfile ssh "$@" sudo -S ls -l /root
}
export -f runsshsudo

cat hostlist.txt | parallel runsshsudo

This avoids putting the password on the command line (e.g. echo $PASS) which can be intercepted by an attacker by running ps aux.

Answer 5

I agree with @satch_boogie comment above - use ansible when you need SUDO and use pssh when you don't - its cleaner to SUDO in ansible IMO although initial setup is more involved.

Short answer: Example updating and upgrading package with apt:

ansible myservers -a "sudo apt -y update" --become -K

ansible myservers -a "sudo apt -y upgrade" --become -K

Long answer and setup: For my situation, I was using MacOS locally to manage my remote Linux machines. I did the following which may vary slightly if your using Linux:

1. make sure you have the same user created locally and on all target machines: sudo adduser username
2. add the user to the SUDO group on each target machine: usermod -aG sudo username
3. (maybe optional) Setup passwordless ssh though I'm unclear if this is needed but my environment was already setup with this. Try steps below first as it might not be necessary for passwordless ssh.
4. Install ansible on your local machine: brew install ansible (or linux sudo apt install ansible)
5. create the default hosts file for ansible on your local machine: sudo mkdir /etc/ansible && sudo touch /etc/ansible/hosts
6. edit the file sudo nano /etc/ansible/hosts
7. Add the target machines under a group (ip or machine name):

[myservers]
blah1.local
blah2.local
blah3.local

8. (Optional) I had a second user in the SUDO group on all target machines so I had to temporarily remove this user from the SUDO group to avoid a prompt (like when using sudo systemctl it asks to pick a SUDO user): ansible myservers -a "sudo deluser otheruser sudo" --become -K
9. Now run the actual SUDO command you want. Example: ansible myservers -a "sudo apt -y update" --become -K
10. (Optional) re-add the otheruser back to the SUDO group: ansible myservers -a "sudo adduser otheruser sudo" --become -K

Now every time I need to run a SUDO command across machines, I simply repeat steps 8-10.