Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Different behavior in Sudo vs default ssh executor vs docs #5

Open
mchubby opened this issue Apr 21, 2022 · 0 comments
Open

Different behavior in Sudo vs default ssh executor vs docs #5

mchubby opened this issue Apr 21, 2022 · 0 comments

Comments

@mchubby
Copy link

mchubby commented Apr 21, 2022
edited
Loading

Different behavior in Sudo vs default ssh executor vs docs

According to the docs: https://docs.rundeck.com/docs/manual/projects/node-execution/ssh.html#secondary-sudo-password-authentication

The sudo password prompt should try to match a regex that defaults to ^.*password.*. It can also be a user-provided regex pattern.

Change was made in rundeck/docs#850 and rundeck/docs#852

sudo prompt detection in SSHJ

sudo-prompt-pattern - a regular expression to detect the password prompt for the Sudo authentication. The default pattern is ^.*password.*

Constants are here:

sshj-plugin/src/main/java/com/plugin/sshjplugin/SSHJNodeExecutorPlugin.java

Lines 89 to 91 in bb4bd9e

public static final String DEFAULT_SUDO_PROMPT_PATTERN = "[sudo] password for";
public static final String DEFAULT_SSH_PASSWORD_OPTION = "option.sshPassword";
public static final String DEFAULT_SUDO_COMMAND_PATTERN = "^sudo\\s.*";

This part in the runSudoCommand method:

sshj-plugin/src/main/java/com/plugin/sshjplugin/sudo/SudoCommand.java

Lines 90 to 91 in bb4bd9e

expect.expect(contains(sudoPromptPattern));
expect.sendLine(sudoPassword);

tries to match a plain substring.

sudo prompt detection in default ssh executor

The corresponding constants for the default (JSch) node executor are:

https://github.com/rundeck/rundeck/blob/b173b38948b1112d71211af06e0219f46e955fc6/core/src/main/java/com/dtolabs/rundeck/core/execution/impl/jsch/JschNodeExecutor.java#L124-L125

As we can see, it tries to match against ^\\[sudo\\] password for .+: .*
Discrepancy with docs again ?

is sudo command, in SSHJ

sudo-command-pattern - a regular expression to detect when a command execution should expect to require Sudo authentication. Default pattern is ^sudo$.

SSJ tries to match the entire command to execute, see

sshj-plugin/src/main/java/com/plugin/sshjplugin/model/SSHJExec.java

Lines 74 to 75 in bb4bd9e

if (this.getSshjConnection().isSudoEnabled() && this.getSshjConnection().matchesCommandPattern(command)) {
final Session.Shell shell = session.startShell();

is sudo command, in default ssh executor

The command pattern is detected in the mainline ssh executor with these constants:

https://github.com/rundeck/rundeck/blob/b173b38948b1112d71211af06e0219f46e955fc6/core/src/main/java/com/dtolabs/rundeck/core/execution/impl/jsch/JschNodeExecutor.java#L128-L129

It tries here:

https://github.com/rundeck/rundeck/blob/b173b38948b1112d71211af06e0219f46e955fc6/core/src/main/java/com/dtolabs/rundeck/core/execution/impl/jsch/JschNodeExecutor.java#L394

to match the regex against the first word command[0]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mchubby