[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: sudo when using scp?
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: Re: sudo when using scp?
- From: Matt Provost <mprovost_(_at_)_termcap_(_dot_)_net>
- Date: Mon, 21 Feb 2005 09:13:53 -0800
On Feb 21 01:52 PM, Saad Kadhi wrote:
> On Mon, Feb 21, 2005 at 12:33:14PM +0100, Didier Wiroth wrote:
> > Hi,
> > The situtation:
> > 1) I'm physically connected to a client using ssh.
> > 2) I need to connect to anopenbsd server running sshd (OpenSSH_3.9,
> > OpenSSL 0.9.7d 17 Mar 2004) to copy files
> > 2a) server uses skey authentication.
> > 2b) root connections on sshd not allowed.
> > 3) The user that connects to the server is in the wheel group of the
> > server
> > I would not like to:
> > a) change file ownership
> > b)change file access rights
> > c) allow root access
> > How can I copy files from the server's /etc/ (files owned by root) to
> > the client's /etc
> > scp -o "user=myuser:skey" my.sshd.server:/etc/ppp/* /etc/ppp
> > This does of course not work as file access is denied.
> tar them as root on the remote server from a cronjob or some shell
> wrapper through ssh such as "sudo tar cf etc-ppp.tar /etc/ppp" and copy
> the tar to the client using your user account then untar them to the
> target directory using sudo or the likes.
> Saad Kadhi
> "He who relieves the poor makes Ahura king"
Even better, just pipe the files around using ssh and avoid scp
altogether. A command like this should work:
sudo tar cf - /etc | ssh otherserver "sudo sh -c 'tar xvf - -C /etc'"
The one trick is that you need to have the sudo command on the second
machine already within its password timeout. IE when you use sudo, it
usually lets you run commands without a password for 5 minutes,
depending on your config. So just do a sudo -v on the target machine
or ssh othermachine sudo -v (warning this will show your password to
the screen) and then run the tar pipe. If you're going to be doing this
unattended, make a specific user for this task and add it to
/etc/sudoers on the target so that it can run tar without a password.
Other quick tip, only use one tar v option, usually on the target side.
Otherwise you'll get double listings which are hard to read.
Visit your host, monkey.org