Automating SSH and Sudo with Expect

Submitted by Igor on July 14, 2011 – 10:20 am14 Comments

Let’s imagine a hypothetical scenario: you have a list of a hundred Linux servers and you need to log into each one of them and remove a local user “roger” and his home directory. Doing this by hand will get tedious and, chances are, you will make a few typos and there will be some collateral damage.

It would have been easy if you could just configure passwordless SSH for root, but your company’s compsec policies do not allow this (and rightly so). All of the servers on your list are part of the same NIS/LDAP domain and you have a standard user account. Each server has sudo configured and your NIS/LDAP account is on the sudoers list for root access, but it requires that you enter a password for all sudo commands. Many companies, as well as government and military organizations do not allow the NOPASSWD setting for sudo on their servers.

If you wish, you can configure passwordless SSH access for your non-privileged NIS/LDAP account, but you would still have to enter a password whenever you use sudo. The “expect” utility can provide a solution. Below we have an example “expect” script that will connect to a single host with a non-privileged account, enter a password, run sudo command, enter the password again, execute the “userdel” command as root, and log out. Pay attention to the syntax.

#!/usr/bin/expect
set timeout 5
set user [lindex $argv 0]
set host [lindex $argv 1]
set pass [lindex $argv 2]
spawn ssh -q ${user}@${host}
expect "assword"
send "$pass\r"
expect "${user}@"
send "sudo userdel -r roger\r"
expect "assword"
send "$pass\r"
expect "${user}@"
send "exit\r"
interact

#!/usr/bin/expect

set timeout 5

set user [lindex $argv 0]

set host [lindex $argv 1]

set pass [lindex $argv 2]

spawn ssh -q ${user}@${host}

expect "assword"

send "$pass\r"

expect "${user}@"

send "sudo userdel -r roger\r"

expect "assword"

send "$pass\r"

expect "${user}@"

send "exit\r"

interact

Save this script as expect_userdel.exp, chmod 700, and run like so:

./expect_userdel.exp your_username remote_hostname your_password

1	./expect_userdel.exp your_username remote_hostname your_password

Entering your username and password from command line as arguments for the script is more secure (although still not ideal) than storing them directly inside the expect script.

To make this method work with a list of hosts, you can either write a wrapper script that would read the host list and launch the expect script, or you can incorporate the expect script into a shell script. Let’s take a look at the first option.

#!/bin/bash
user=$1
pass=$2
cat server_list | while read host
do
     ./expect_userdel.exp $user $host $pass
done

#!/bin/bash

user=$1

pass=$2

cat server_list | while read host

./expect_userdel.exp $user $host $pass

done

Save this script as wrapper_expect_userdel.sh and run like so:

./wrapper_expect_userdel.sh your_username your_password

1	./wrapper_expect_userdel.sh your_username your_password

It is possible to insert expect commands directly into a shell script. This way you don’t need to create a wrapper script. The basic syntax for doing this is shown in the example below.

#!/bin/bash
user=$1
pass=$2
cat server_list | while read host
do
   expect -c "
   set timeout 5
   spawn spawn ssh -q ${user}@${host}
   expect "ssword:" { send \"${pass}\r\" }
   expect "${user}@"
   send "sudo userdel -r roger\r"
   expect "assword"
   send "${pass}\r"
   expect eof "
done

#!/bin/bash

user=$1

pass=$2

cat server_list | while read host

expect -c "

set timeout 5

spawn spawn ssh -q ${user}@${host}

expect "ssword:" { send \"${pass}\r\" }

expect "${user}@"

send "sudo userdel -r roger\r"

expect "assword"

send "${pass}\r"

expect eof "

done

When working with these script examples, keep in mind that with different versions of expect, SSH, sudo and shells, there maybe small syntax variations. As long as you understood the general idea, you should have no problem adjusting these commands to suit your requirements.

Pingback: KrazyWorks » Using Expect with SSH and Su
la6470

Thanks I used some of your techniques and got a pretty decent expect script going :
http://www.datauniv.com/blogs/2013/02/21/a-quick-little-expect-script/
Lia-lu-li

I’m trying to set up an ssh connection with a macbook on the same network as my macbook pro. I want to prank the other person by making their macbook start talking and I have no idea what i’m doing
veemodz

I am wondering if anyone knows how to ssh into my iPod Touch to get at the filesystem contents. (sftp addresses would be great). Thanks!
Terrence

In case you haven’t known, Veency has problems with some people that they keep getting a black screen on the computer when using it.

Theres a fix that you can SSH a downgraded version of veency into the iPhone/iPod Touch and make it work.

I never tried SSH before and I don’t know what folder to put the veency file in that is downgraded.
baldy eire

I have a jailbroken iPhone 3G. How do I download/get SSH on my iPhone so I can use Cyder and install apps from my computer. I need this because my wifi feature died and doing it from the computer is the only way I have left.
happyha31

I was just wondering how to copy one file to muliple directories in Linux using ssh? I tried this…

% cp /home/mydomain/public_html/privacypolicy.php /home/*/public_html

I am using cpanel, and just want this file, privacypolicy.php, copied to all those directories easily.
alberto s

I dont see any risk involved because you could simply restore to factory settings if something was to happen. Nevertheless, i’m somewhat reluctant to jailbreak it because i am currently on a cap plan.

I mean the thing is, i heard many stories with iphone users installing something called SSH, which makes your iphone vulnerable to hackers. However if i don’t use this feature, i mean what could go possibly wrong with jailbreaking?
Big Banger

hey guys i need help on how to setup an ssh server in windows. can anyone give me the step by step instructions on how to do that or give a website that shows you how to do that. PLEASE HELP i will appreciate it thanks
tjpimpin

Instead of disabling SSH, I read that you can require an SSH cryptographic key rather than a password, and to restrict login to a certain addresses. How do you do these?
llb443

Hello!

I’m pretty ignorant when it comes to these things, but is there a free way to ssh from a home computer to one at a university?

Thank you for any help you have to offer, and have a wonderful evening!
Scott W

I have a 4G iPod Touch running 4.3.2 that I would like to update to 5.0. I do not want to lose my music in the process, however, as it was accumulated over several different computers and very little of it was legally purchased and downloaded. Therefore, is it possible for me to SSH the files from the ~/Media/iTunes_Control/Music directory, update, then place them back in this location? Will it still be compatible and playable?
Lachlan

Well in my area bittorrent is blocked and torrent file is unable to connect to tracker.i want to tunnel bittorrent using putty software,but it asks for ssh proxy ip which can be obtained through ssh account.so my central problem is where to get ssh account for free.
Chris R

I’ve been looking into how to get free Apps and stuff for the iPod Touch, and I found that for most things I need this SSH thing to get said apps. Does anyone know of any good free SSH clients? CuteFTP has a free trial, but I don’t know if that will be a permenant solution.
http://villimagg.info/ Vilhjálmur Magnússon

Hi and thanks for this guide. How would you use expect if only to do su commands in a bash shell script?