Discussions specific to the VMware vSphere hypervisor
Post Reply
basictheprogram
Influencer
Posts: 10
Liked: 2 times
Joined: Mar 14, 2015 7:23 pm
Full Name: Bob Tanner
Contact:

[ID# 00845880] Failed to run command with sudo

Post by basictheprogram » Mar 19, 2015 8:29 pm

Turned on Guest processing and Enabled guest file system indexing for all my Ubuntu linux systems (12.04 and 14.04).

Entered my Guest OS credentials and click Test Now. Receive this error on all my Linux guests.

3/19/2015 3:23:53 PM :: Testing SSH credentials for: XXXX Error: Failed to run command with sudo: no tty present and no askpass program specified
Sorry, try again.
sudo: no tty present and no askpass program specified
Sorry, try again.
sudo: no tty present and no askpass program specified
Sorry, try again.
sudo: 3 incorrect password attempts

In the Linux VM syslog shows me these messages

Mar 19 15:23:57 testvm-2 sudo: pam_unix(sudo:auth): conversation failed
Mar 19 15:23:57 testvm-2 sudo: pam_unix(sudo:auth): auth could not identify password for [XXXX]
Mar 19 15:23:57 testvm-2 sshd[647]: pam_unix(sshd:session): session closed for user XXXX

And I get these generated email alert

Mar 19 15:23:53 : XXXX : 3 incorrect password attempts ; TTY=unknown ; PWD=/home/XXXX ; USER=root ; COMMAND=/usr/bin/id -u

I've played with the Defaults entry in my /etc/sudoers file.

!requiretty doesn't resolve the problem
visualpw just hangs

Any help?

Thanks.

basictheprogram
Influencer
Posts: 10
Liked: 2 times
Joined: Mar 14, 2015 7:23 pm
Full Name: Bob Tanner
Contact:

Re: [ID# 00845880] Failed to run command with sudo

Post by basictheprogram » Mar 19, 2015 8:34 pm

Typo.
visiblepw just hangs.

basictheprogram
Influencer
Posts: 10
Liked: 2 times
Joined: Mar 14, 2015 7:23 pm
Full Name: Bob Tanner
Contact:

Re: [ID# 00845880] Failed to run command with sudo

Post by basictheprogram » Mar 19, 2015 8:48 pm

Can demonstrate this problem like this:

$ ssh XXXX@testvm.local "sudo /usr/bin/id -u"
XXXX@testvm.local's password:
sudo: no tty present and no askpass program specified

And a workaround on the command line line this:

$ ssh -t XXXX@testvm.local "sudo /usr/bin/id -u"
XXXX@testvm.local's password:
[sudo] password for XXXX:
0

tsightler
Veeam Software
Posts: 5194
Liked: 2077 times
Joined: Jun 05, 2009 12:57 pm
Full Name: Tom Sightler
Contact:

Re: [ID# 00845880] Failed to run command with sudo

Post by tsightler » Mar 19, 2015 10:37 pm 1 person likes this post

Do you have something like the below in your sudoers file:

Code: Select all

Defaults requiretty
This line causes sudo to require a tty. I didn't realize this was a common default in Ubuntu, and I don't see it on any of the Ubuntu systems I have access to. Any chance it came from a security policy?

If you are not providing a root account for indexing then you could potentially override this requirement for the user you are using. Of the top of my head it's something like:

Code: Select all

Defaults:veeamuser        !requiretty

basictheprogram
Influencer
Posts: 10
Liked: 2 times
Joined: Mar 14, 2015 7:23 pm
Full Name: Bob Tanner
Contact:

Re: [ID# 00845880] Failed to run command with sudo

Post by basictheprogram » Mar 19, 2015 11:21 pm

$ sudo -l
Matching Defaults entries for XXXX on dns-2:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
!requiretty

User XXXX may run the following commands on dns-2:
(ALL) ALL

Still get the same error message.

tsightler
Veeam Software
Posts: 5194
Liked: 2077 times
Joined: Jun 05, 2009 12:57 pm
Full Name: Tom Sightler
Contact:

Re: [ID# 00845880] Failed to run command with sudo

Post by tsightler » Mar 20, 2015 1:34 am

Hmm...I can't explain that. Here's the same basic command line test on one of my Ubuntu 14.04 systems:

Code: Select all

$ ssh XXXX@ubuntu01 "sudo /usr/bin/id -u" 
XXXX@ubunto01's password:
[sudo] password for XXXX:
0
This is a pretty basic Ubuntu 14.04 server install, nothing much customized. I even tried using ssh -T which forces SSH to NOT allocate a psuedo-tty and it still works. Feels like there has to be something different with the environment settings or sudoers since sudo is the one complaining even for you ssh command line test but unfortunately I can't think of what it might be. I know it's somewhat security sensitive but is there any chance you could post your sudoers settings or at least PM them to me to test? I certainly understand if not but I don't know exactly where to go from here.

basictheprogram
Influencer
Posts: 10
Liked: 2 times
Joined: Mar 14, 2015 7:23 pm
Full Name: Bob Tanner
Contact:

Re: [ID# 00845880] Failed to run command with sudo

Post by basictheprogram » Mar 20, 2015 3:58 am

As far as I know stock sudoers file.

Just the README in /etc/sudoers.d

The veeam backup user is in the %admin group.

Code: Select all

#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults	env_reset
Defaults	mail_badpass
Defaults	secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root	ALL=(ALL:ALL) ALL

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command
#%sudo	ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d

veenski
Lurker
Posts: 2
Liked: 2 times
Joined: Apr 17, 2015 5:53 am
Full Name: Maarten
Contact:

Re: [ID# 00845880] Failed to run command with sudo

Post by veenski » Apr 17, 2015 5:55 am

Did you manage to fix this?
I have the exact same issue

veenski
Lurker
Posts: 2
Liked: 2 times
Joined: Apr 17, 2015 5:53 am
Full Name: Maarten
Contact:

Re: [ID# 00845880] Failed to run command with sudo

Post by veenski » Apr 17, 2015 11:52 am 2 people like this post

The reason for this error is that Linux wants to prompt for the sudo password on the remote host but doesn't have a tty to show you one.
You can bypass this by not letting it ask for a password at all.

first I created a new backup user

Code: Select all

sudo adduser backupuser
then add it to sudo group

Code: Select all

sudo adduser backupuser sudo
then edit the sudoers file

Code: Select all

sudo visudo
add the following line at the bottom

Code: Select all

backupuser ALL=(ALL) NOPASSWD: ALL

in the veeam create a new credential
username:backupuser
password:wellwhatyathink

put a tack at: Elevate specified user to root

Safer would be to replace the
backupuser ALL=(ALL) NOPASSWD: ALL
backupuser YOURVEEAMHOSTNAME=(root) NOPASSWD: 'what ever command it is veeam runs to index the filesystem'

But I wouldn't know what that command would be.

ChrisCal
Lurker
Posts: 1
Liked: 1 time
Joined: Oct 06, 2013 6:12 pm
Full Name: ChrisG
Contact:

Re: [ID# 00845880] Failed to run command with sudo

Post by ChrisCal » Dec 02, 2015 6:42 pm 1 person likes this post

I realize this is a very old thread but here's what I added to my sudoers file to get this to work reliably:

Code: Select all

USERNAMEOFSSHUSER ALL=(root) NOPASSWD: /bin/uname
USERNAMEOFSSHUSER ALL=(root) NOPASSWD: /usr/bin/scp
USERNAMEOFSSHUSER ALL=(root) NOPASSWD: /bin/arch
USERNAMEOFSSHUSER ALL=(root) NOPASSWD: /bin/mount
USERNAMEOFSSHUSER ALL=(root) NOPASSWD: /usr/bin/sh
USERNAMEOFSSHUSER ALL=(root) NOPASSWD: /bin/rm
USERNAMEOFSSHUSER ALL=(root) NOPASSWD: /tmp/*

jgh
Novice
Posts: 6
Liked: never
Joined: Mar 10, 2016 11:10 pm
Contact:

Re: [ID# 00845880] Failed to run command with sudo

Post by jgh » Mar 16, 2016 9:56 pm

Please delete this post. I don't know why I am unable to do this.

Thank you.

jgh
Novice
Posts: 6
Liked: never
Joined: Mar 10, 2016 11:10 pm
Contact:

Re: [ID# 00845880] Failed to run command with sudo

Post by jgh » Mar 16, 2016 9:57 pm

ChrisCal wrote:I realize this is a very old thread but here's what I added to my sudoers file to get this to work reliably:

Code: Select all

USERNAMEOFSSHUSER ALL=(root) NOPASSWD: /bin/uname
USERNAMEOFSSHUSER ALL=(root) NOPASSWD: /usr/bin/scp
USERNAMEOFSSHUSER ALL=(root) NOPASSWD: /bin/arch
USERNAMEOFSSHUSER ALL=(root) NOPASSWD: /bin/mount
USERNAMEOFSSHUSER ALL=(root) NOPASSWD: /usr/bin/sh
USERNAMEOFSSHUSER ALL=(root) NOPASSWD: /bin/rm
USERNAMEOFSSHUSER ALL=(root) NOPASSWD: /tmp/*
Thanks for the command-set for sudo. This definitely helped me to at least get a better grip on what was required for veeam using sudo facilities to interact when restoring. All of this aside, I would like to see if you have a more secure approach. The bits that allow /bin/rm and /tmp/* are of concern.

I have opened case 01732540 with Veeam to see if I could get clarification on more specific details, as their current sudo directives are wildly insecure.

Thanks!
-jgh

jeffshead
Novice
Posts: 4
Liked: never
Joined: May 05, 2016 1:07 pm
Full Name: Jeff
Contact:

Re: [ID# 00845880] Failed to run command with sudo

Post by jeffshead » Apr 02, 2017 5:19 pm

jgh wrote:I have opened case 01732540 with Veeam to see if I could get clarification on more specific details, as their current sudo directives are wildly insecure.

Thanks!
-jgh
@jgh - Did Support provide you with a better approach?

Sorry for resurrecting an old thread but this was the only one I found that describes the same issue I'm encountering with Zorin OS.

Cheers,

Jeff

riahc3
Enthusiast
Posts: 37
Liked: 3 times
Joined: Oct 21, 2015 10:01 am
Full Name: John
Contact:

Re: [ID# 00845880] Failed to run command with sudo

Post by riahc3 » Mar 10, 2018 10:33 pm

Using NOPASSWD is EXTREMELY unsecure and not a valid workaround.

csydas
Expert
Posts: 133
Liked: 27 times
Joined: Jan 16, 2018 5:14 pm
Full Name: Harvey Carel
Contact:

Re: [ID# 00845880] Failed to run command with sudo

Post by csydas » Mar 13, 2018 8:03 pm 2 people like this post

@John,

Is it really?

If you're using Private Keys for authentication on your server, plausibly the only way that someone malicious is getting on the server and running stuff is if they've either got "physical" access to the machine (literal or through your hypervisor) or if they've compromised your passphrase, are able to get access to the Veeam Server for the key as well, and bypass whatever access restriction you have set up.

I'm all for security, but it seems like worrying about NOPASSWD is worrying about the wallpaper when the castle's on fire.

Use a service account with a relatively unique name, lock down remote access to the machine, disable root login over SSH, set up sudoers with the above settings, and that should be fine. At that point if they're still getting in, it's not because NOPASSWD is set, even for /bin/rm and /tmp/*. The battle is lost the moment they log on, not once they realize they're running with NOPASSWD.

Post Reply

Who is online

Users browsing this forum: jrbaumann and 29 guests