rsync - Mar 2022 - Trying to elevate rsync privileges when connecting over ssh without using NOPASSWD in sudoers

Hi there,

We are using ansible to deploy system configuration and web application source
code to clusters of Linux computers. One part of this process requires
transferring large directories to the target hosts, which is done using the
?synchronize? command in ansible that is in turn a wrapper around rsync. This
work great in most scenarios, but we run into an issue with a specific (albeit
for us: prominent) use case:

- We try to have rsync connect over ssh using a non-privileged user account.
- The account is set up for publickey authentication, so we can use ?rsync -e
?ssh -i /home/user/.ssh/some_id??.
- On the target side, we want to escalate privileges for rsync, which we try
using ?rsync --rsync-path=?sudo rsync??.

This whole scenario works fine, as long as for the ssh account we use for
logging in, passwordless sudo is set up on the target. For security reasons, we
do not want to go this route. Instead, we want to supply the user?s password for
gaining privileges. On the web, I?ve found to suggestions for solving this:

a) Using ssh-askpass, we can use the options -e "ssh -X"
--rsync-path="sudo -A rsync" (see https://askubuntu.com/a/1167758).
The problem in our scenario is that using ansible, we run the identical rsync
command on multiple hosts in parallel (we target about 32 VMs in one go). So the
person running the script would have to enter the password into 32 dialogs
exactly at the time they pop up.

b) Passing the password to sudo via stdin using --rsync-path "echo
MYPASSWORD | sudo -S rsync" (see https://askubuntu.com/a/1155897). This has
the potential security implication that if the calling line is stored somewhere
in a shell history file of the control host, the password will be breached, but
there?s a couple of measures we can take so mitigate that. However, I fail at
getting this to run.

Here?s a sample command that I get out of a patched ansible ?synchronize?
command. I?m trying to connect to a Ubuntu 18.04 VM with the user account ?mark?
that is in the ?sudoers? group but does not have ?NOPASSWD? set, so running
?sudo? for the first time in a session will require to enter the password for
?mark? which here is ?test?:

rsync --delay-updates -F --compress --delete-after --archive --no-perms
--no-owner --no-group --rsh='/usr/bin/ssh -S none -i ~/ssh/some_private_key
-o Port=2222 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null'
--rsync-path='echo test | sudo -S -u root rsync 2>/dev/null'
--out-format='<<CHANGED>>%i %n%L' ~/test_source_dir mark at
127.0.0.1:/some/test_target_dir

This is what I get:
> Warning: Permanently added '[127.0.0.1]:2222' (ED25519) to the list
of known hosts.
> rsync: connection unexpectedly closed (0 bytes received so far) [sender]
As far as I understand, this could be due to "sudo -S" prompting for
the password and that prompt interfering with the rsync communications. However,
I?m out of ideas what I could do to get around that.

Help would be greatly appreciated ;-)

Thanks and greetings from Cologne,
Mark
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4652 bytes
Desc: not available
URL:
<http://lists.samba.org/pipermail/rsync/attachments/20220311/6fd14776/smime.bin>

Why not rsync directly as root?  Then you can use a passwordless,
passphraseless RSA (or similar) keypair.

On Fri, Mar 11, 2022 at 4:58 AM Dr. Mark Asbach via rsync <
rsync at lists.samba.org> wrote:
> Hi there,
>
> We are using ansible to deploy system configuration and web application
> source code to clusters of Linux computers. One part of this process
> requires transferring large directories to the target hosts, which is done
> using the ?synchronize? command in ansible that is in turn a wrapper around
> rsync. This work great in most scenarios, but we run into an issue with a
> specific (albeit for us: prominent) use case:
>
> - We try to have rsync connect over ssh using a non-privileged user
> account.
> - The account is set up for publickey authentication, so we can use ?rsync
> -e ?ssh -i /home/user/.ssh/some_id??.
> - On the target side, we want to escalate privileges for rsync, which we
> try using ?rsync --rsync-path=?sudo rsync??.
>
> This whole scenario works fine, as long as for the ssh account we use for
> logging in, passwordless sudo is set up on the target. For security
> reasons, we do not want to go this route. Instead, we want to supply the
> user?s password for gaining privileges. On the web, I?ve found to
> suggestions for solving this:
>
> a) Using ssh-askpass, we can use the options -e "ssh -X"
> --rsync-path="sudo -A rsync" (see
https://askubuntu.com/a/1167758). The
> problem in our scenario is that using ansible, we run the identical rsync
> command on multiple hosts in parallel (we target about 32 VMs in one go).
> So the person running the script would have to enter the password into 32
> dialogs exactly at the time they pop up.
>
> b) Passing the password to sudo via stdin using --rsync-path "echo
> MYPASSWORD | sudo -S rsync" (see https://askubuntu.com/a/1155897).
This
> has the potential security implication that if the calling line is stored
> somewhere in a shell history file of the control host, the password will be
> breached, but there?s a couple of measures we can take so mitigate that.
> However, I fail at getting this to run.
>
> Here?s a sample command that I get out of a patched ansible ?synchronize?
> command. I?m trying to connect to a Ubuntu 18.04 VM with the user account
> ?mark? that is in the ?sudoers? group but does not have ?NOPASSWD? set, so
> running ?sudo? for the first time in a session will require to enter the
> password for ?mark? which here is ?test?:
>
> rsync --delay-updates -F --compress --delete-after --archive --no-perms
> --no-owner --no-group --rsh='/usr/bin/ssh -S none -i
~/ssh/some_private_key
> -o Port=2222 -o StrictHostKeyChecking=no -o
UserKnownHostsFile=/dev/null'
> --rsync-path='echo test | sudo -S -u root rsync 2>/dev/null'
> --out-format='<<CHANGED>>%i %n%L' ~/test_source_dir
mark at 127.0.0.1:
> /some/test_target_dir
>
> This is what I get:
> > Warning: Permanently added '[127.0.0.1]:2222' (ED25519) to the
list of
> known hosts.
> > rsync: connection unexpectedly closed (0 bytes received so far)
[sender]
>
> As far as I understand, this could be due to "sudo -S" prompting
for the
> password and that prompt interfering with the rsync communications.
> However, I?m out of ideas what I could do to get around that.
>
> Help would be greatly appreciated ;-)
>
> Thanks and greetings from Cologne,
> Mark--
> Please use reply-all for most replies to avoid omitting the mailing list.
> To unsubscribe or change options:
> https://lists.samba.org/mailman/listinfo/rsync
> Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.samba.org/pipermail/rsync/attachments/20220311/787b19fc/attachment.htm>

On Fri, Mar 11, 2022 at 4:57 AM Dr. Mark Asbach via rsync <
rsync at lists.samba.org> wrote:
> b) Passing the password to sudo via stdin using --rsync-path "echo
> MYPASSWORD | sudo -S rsync" (see https://askubuntu.com/a/1155897).

In that ask-ubuntu example they are running a client rsync via sudo, not
the server side.  The server requires the socket to be on stdin, so you
can't use stdin earlier on the command-line for something else.

One thing you could do is to create a custom askpass script that provides
the password on stdout. You must put that script on each remote system
because the SUDO_ASKPASS environment variable must only contain a program
name, so it will not allow a one-line remote invocation (i.e.
SUDO_ASKPASS="echo FOO" fails). For example, create a shell script
named
something like echo-askpass:

#!/bin/sh
echo "$SUDO_PASS"

and then use this option to rsync:

--rsync-path "SUDO_ASKPASS=/path/echo-askpass SUDO_PASS=MYPASS sudo -A
rsync"

You could simplify that by moving those environment variables into your
ansible config, perhaps by grabbing the password out of the ansible vault
or having ansible prompt the user. That would let you run "sudo -A
rsync"
and not have the password in the command.  The ansible docs detail how to
set remote environment variables.

..wayne..
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.samba.org/pipermail/rsync/attachments/20220311/93630659/attachment.htm>

On 3/11/2022 4:39 AM, Dr. Mark Asbach via rsync wrote:
> a) Using ssh-askpass, we can use the options -e "ssh -X" 
> --rsync-path="sudo -A rsync" (see
https://askubuntu.com/a/1167758).
> The problem in our scenario is that using ansible, we run the 
> identical rsync command on multiple hosts in parallel (we target about 
> 32 VMs in one go). So the person running the script would have to 
> enter the password into 32 dialogs exactly at the time they pop up.
You could use ssh-agent instead, and add either an ssh public key PAM 
module to sudo's stack (e.g. pam_ssh_agent_auth) or an ssh certificate 
PAM module (e.g. pam_ussh). Sadly, I'm unaware of a PAM module that 
supports both.