sudo with key-based auth
Brought to you by:
mikehorn
Menu
▾
▴
#264 sudo with key-based auth
Hello ~ I am using Firewall Builder 5.1 build 5.1.0.3599 and trying to deploy a very simple test firewall to a vm running a fresh debian wheezy install as a non-root user (but with sudo privileges).
I have configured the deploy directory: target_machine:/etc/fw/ and the sample ssh single interface template ruleset compiles and is successfully scp'ed to the firewall using key-based auth (password auth is disabled as it is on all our production servers).
The install fails with the below error, and there appears to be nowhere for me to tell the installer the password for sudo, so sudo fails, and the install aborts. Apologies if I have missed this somewhere.
So the issue:
How do I set up key-based auth deployment while also requiring a password for sudo? If I understand sentence #2 of this correctly it is possible...
http://www.fwbuilder.org/4.0/docs/users_guide5/install_with_regular_user.shtml
Here is the relevant fwbuilder log:
Summary: * Running as user : XXXXXXX * Firewall name : debian-test * Installer uses user name : XXXXXXX * Management address : xxx.xxx.xxx.xxx * Platform : iptables * Host OS : linux24 * Loading configuration from file /home/xxxxx/xxxxxxxxx/fwbuilder-rules/debian-test.fwb Installation plan: Copy file: /home/xxxxxxx/xxxx/fwbuilder-rules/debian-test.fw --> /etc/fw/debian-test.fw Run script echo '--**--**--'; chmod +x /etc/fw/debian-test.fw; sudo -S /etc/fw/debian-test.fw && echo 'Policy activated' Copying /home/xxxxxxx/xxxx/fwbuilder-rules/debian-test.fw -> xxx.xxx.xxx.xxx:/etc/fw/debian-test.fw Running command '/usr/bin/fwbuilder -Y scp -o ConnectTimeout=30 -q /home/xxxxxxx/xxxx/fwbuilder-rules/debian-test.fw aaaaa@xxx.xxx.xxx.xxx:/etc/fw/debian-test.fw' Firewall Builder GUI 5.1.0.3599 SSH session terminated, exit status: 0 Running command '/usr/bin/fwbuilder -X ssh -o ServerAliveInterval=10 -t -t -v -l aaaaaaa xxx.xxx.xxx.xxx echo '--**--**--'; chmod +x /etc/fw/debian-test.fw; sudo -S /etc/fw/debian-test.fw && echo 'Policy activated'' Firewall Builder GUI 5.1.0.3599 OpenSSH_6.0p1 Debian-4, OpenSSL 1.0.1e 11 Feb 2013 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: Applying options for * debug1: Connecting to xx.x.x.xxx [xx.x.x.xxx] port 22. debug1: Connection established. debug1: identity file /home/xxxxxxx/.ssh/id_rsa type -1 debug1: identity file /home/xxxxxxx/.ssh/id_rsa-cert type -1 debug1: identity file /home/xxxxxxx/.ssh/id_dsa type -1 debug1: identity file /home/xxxxxxx/.ssh/id_dsa-cert type -1 debug1: identity file /home/xxxxxxx/.ssh/id_ecdsa type -1 debug1: identity file /home/xxxxxxx/.ssh/id_ecdsa-cert type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_6.0p1 Debian-4 debug1: match: OpenSSH_6.0p1 Debian-4 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.0p1 Debian-4 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-ctr hmac-md5 none debug1: kex: client->server aes128-ctr hmac-md5 none debug1: sending SSH2_MSG_KEX_ECDH_INIT debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: Server host key: ECDSA b2:7d:24:f1:bd:f5:16:82:d4:ff:66:5d:7e:e8:b3:81 debug1: Host 'xx.x.x.xxx' is known and matches the ECDSA host key. debug1: Found key in /home/xxxxxxx/.ssh/known_hosts:71 debug1: ssh_ecdsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: Roaming not allowed by server debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey debug1: Next authentication method: publickey debug1: Offering RSA public key: /home/xxxxxxx/.ssh/xxxxxxx_xx_rsa debug1: Server accepts key: pkalg ssh-rsa blen 277 debug1: Authentication succeeded (publickey). Authenticated to xxx.xxx.xxx.xxx ([xxx.xxx.xxx.xxx]:22). debug1: channel 0: new [client-session] debug1: Requesting no-more-sessions@openssh.com debug1: Entering interactive session. debug1: Sending environment. debug1: Sending command: echo '--**--**--'; chmod +x /etc/fw/debian-test.fw; sudo -S /etc/fw/debian-test.fw && echo 'Policy activated' --**--**-- [sudo] password for xxxxxxx: Sorry, try again. *** Fatal error : Sorry, try again. Firewall policy installation failed [sudo] password for xxxxxxx: Sorry, try again. *** Fatal error : Sorry, try again. [sudo] password for xxxxxxx:
Thank you in advance for any advice!
