I was recently working on a Perl script that would SSH to another server and run a sudo command on the remote server that was failing. The error that was received is below.
Error: sudo: sorry, you must have a tty to run sudo
The reason for this is an update along the way with sudo locked it down further by adding the below line to /etc/sudoers configuration file.
Defaults requiretty
To allow a remote script to login and run a command via sudo simply comment out that line as shown below.
# Commented out so remote script can login and run a command without a tty # Defaults requiretty
I would suggest making a comment in the sudoers file along with the actual script that is running just in case there is another systems administrator that is tasked with working on this server at a later date. Now when your script runs it will not throw that error and should be able to run the remote command that was initially required.
Tags: error, perl, requiretty, script, SSH, sudo, sudoers, tty
Entries (RSS)
thanks. it works for me.
[Reply]
alex Reply:
March 24th, 2009 at 11:43 AM
Cool. Glad it helped.
[Reply]
Instead of commenting it out for everybody, you can just turn it off for certain users (or user groups)
Defaults:alex !requiretty
[Reply]
alex Reply:
May 26th, 2009 at 7:16 PM
Hello Jay,
Great advice. I wasn’t aware of that syntax. Thanks for posting a response man!~
[Reply]
Great Help!!!!!!!!!
[Reply]
alex Reply:
July 20th, 2009 at 11:11 AM
Thanks for the feedback!
[Reply]
The “-t” switch on the ssh command will allocate a pseudo tty. You won’t nned to change yor sudoers file.
[Reply]
alex Reply:
July 21st, 2009 at 4:06 PM
Hello Nathan,
Thanks for the addition.
[Reply]
Is there a way to include “-t” option from perl script?
From command line, we can say “ssh -t user@host”
As of now, my code is as follows:
my $ssh = Net::SSH::Perl->new($host);
$ssh->login($user, $password);
my($stdout1, $err, $ext1) = $ssh->cmd(“sudo su – geneindex”, $password);
[Reply]
alex Reply:
August 14th, 2009 at 1:15 AM
Hello Neel,
Sorry for the delayed response. Below is the response from a friend of mine that knows way more Perl than I.
net::ssh takes the ‘use_pty’ option, which should have the same effect as -t for the cli command
http://search.cpan.org/dist/Net-SSH-Perl/lib/Net/SSH/Perl.pm
Hope that helps.
[Reply]
Thanks mate
[Reply]
alex Reply:
October 18th, 2009 at 5:04 PM
Hello nate,
No problem. Thanks for leaving feedback.
Thanks.
alex
[Reply]
Я бы кое-чего добавил конечно, но по сути сказано все.
[Reply]
Очень хороший и актуальный блог! Стабильный житель моего RSS ридера :)
[Reply]
alex Reply:
December 27th, 2009 at 2:00 AM
Hello мepтвeц,
Thanks for the compliment. Glad you use the RSS functionality to read the blog and hope you continue to find it useful.
Thanks.
alex
[Reply]
Or you can leave “Defaults requiretty”.
I found it’s more secure to add this only for exactly that user like:
“Defaults:username !requiretty”
Thomas
[Reply]
alex Reply:
March 2nd, 2010 at 3:21 PM
Hello Thomas,
Thanks for the response. I agree if you only required specific usernames such as the situation I mention in the article above that your way is much more secure and the right way to do it. I was unaware that you could open it up on a username basis as you have explained so I really appreciate the feedback. Responses like this are definitely part of the reason that I post articles like this so I can not only provide solutions to others but also hopefully find better solutions for myself.
Thanks again for taking the time to leave feedback and provide a better solution for opening up the TTY on a per user basis.
Thanks.
alex
[Reply]
Thanks for your first post and also this feedback.
Thomas
[Reply]
alex Reply:
March 3rd, 2010 at 8:45 PM
Hello Thomas,
No problem at all. I really appreciate people sharing alternative ways to accomplish things. We can’t all know everything so it is definitely nice to learn new things. Look forward to your feedback on future posts.
Thanks.
alex
[Reply]
While I don’t have much else to add to this post, I am certainly grateful that the author took the time to talk about this. I agree with most of what was talked about, and look forward to learning some more from you. Thank you.
[Reply]
alex Reply:
March 8th, 2010 at 3:15 PM
Hello SEO Tools,
Thanks for taking the time to leave feedback relating to the sudo article.
Thanks.
alex
[Reply]
solved my problem!
[Reply]
alex Reply:
March 29th, 2010 at 4:48 PM
Hello Rick,
Good to hear. Thanks for taking the time to leave feedback.
Thanks.
alex
[Reply]
Thanks for this. I managed to waste quite a bit of time with this problem until I wised up and took a look at the apache log file and saw what was going wrong. Shame this is not mentioned anywhere in the sudo or visudo man pages.
Daniel
[Reply]
alex Reply:
April 7th, 2010 at 10:18 PM
Hello Daniel,
No problem. Thanks for taking the time to leave feedback.
Thanks.
alex
[Reply]
That’s a good article about sudo: sorry, you must have a tty to run sudo. Thanks for the info.
[Reply]
alex Reply:
May 8th, 2010 at 8:45 PM
Hello Wilfred,
No problem at all. Thanks for taking the time to leave feedback.
Thanks.
alex
[Reply]
I was wondering about sudo: sorry, you must have a tty to run sudo. I was looking for this information for a long time. Thanks for this post!
[Reply]
alex Reply:
May 15th, 2010 at 4:30 PM
Hello dofollow,
No problemo. Thank you for leaving feedback and letting us know that you found the article helpful.
Thanks.
alex
[Reply]
You can also make security admins happier by limiting the scope of your removal of restrictions by specifying the user who can issue a command with no tty. Rather than removing the default for everyone as mentioned in this post, add the user name as follows
Defaults:user1 !requiretty
The ‘!’ means ‘not’ in this situation, and of course ‘user1′ should be your actual user name.
Joe
[Reply]
alex Reply:
May 25th, 2010 at 2:45 PM
Hello Joe,
Yeah definitely fair enough I totally agree. The goal of the article (not saying its perrfect :) ) is to accomplish the goal in the easiest manner and without going into to many details with people the above works. If users read these comments I definitely agree with Joe. Thanks for taking the time to leave feedback.
Thanks.
alex
[Reply]
Thanks for your post. I run into this problem while using capistrano.
[Reply]
alex Reply:
June 11th, 2010 at 9:07 AM
Hello Guillermo,
No problem. Thanks for taking the time to leave feedback.
Thanks.
alex
[Reply]
Thanks
[Reply]
alex Reply:
July 12th, 2010 at 8:30 PM
Hello tuni,
No problem at all. Thank you for leaving feedback.
Thanks.
alex
[Reply]
Thanks, but it should also be mentioned that the issue of sending passwords in the clear was enabled by that edit of /etc/sudoers.
SSH I had forgotten has an option that makes this change unnecessary. Just use:
ssh -t
instead.
[Reply]
alex Reply:
September 10th, 2010 at 12:44 PM
Hello Geoff,
Thanks for following up! I wasn’t aware of the -t switch with SSH. That will definitely come in handy in the future.
Could you explain more how the edit of the sudoers file causes passwords to be sent in the clear? I want to make sure I understand the details there.
Thanks.
alex
[Reply]
Yes, “ssh -t” is the proper solution if you are doing an interactive shell with sudo.
I ran into this today and did some research. You will note that the warning in RHEL5 does NOT say the password will be SENT clear but SHOWN clear. Basically, when you type your password, it is encrypted on the link but would be shown on the screen because the non-TTY connection wouldn’t be able to do special controls like suppress display of your keystrokes. So it’s confusing but makes sense in the long run. If you have “NOPASSWD” in your sudoers file, it doesn’t matter anyway.
[Reply]
Note: this means cron jobs that say use sudo on the localbox ONLY are not impacted (as no one is typing a password anyway). For example, a cron job that runs vgs to check volume group space.
sudo -u blah vgs is safer than making a binary suid root, IMO.
[Reply]
alex Reply:
December 14th, 2010 at 7:31 PM
Hello wcarlson,
Thanks for taking the time to leave feedback.
Thanks.
alex
[Reply]
instead of tinkering with the requiretty setting (which can result in printing the root password to the screen) use
$ ssh -t …
[Reply]
alex Reply:
January 20th, 2011 at 4:29 PM
Hello meanguy,
Thanks for the opinion. It has been suggested numerous times in the comments. Stay mean!
Thanks.
alex
[Reply]
Just to say thanks
[Reply]