[ID# 00845880] Failed to run command with sudo

VMware specific discussions

[ID# 00845880] Failed to run command with sudo

Veeam Logoby basictheprogram » Thu Mar 19, 2015 8:29 pm

Turned on Guest processing and Enabled guest file system indexing for all my Ubuntu linux systems (12.04 and 14.04).

Entered my Guest OS credentials and click Test Now. Receive this error on all my Linux guests.

3/19/2015 3:23:53 PM :: Testing SSH credentials for: XXXX Error: Failed to run command with sudo: no tty present and no askpass program specified
Sorry, try again.
sudo: no tty present and no askpass program specified
Sorry, try again.
sudo: no tty present and no askpass program specified
Sorry, try again.
sudo: 3 incorrect password attempts

In the Linux VM syslog shows me these messages

Mar 19 15:23:57 testvm-2 sudo: pam_unix(sudo:auth): conversation failed
Mar 19 15:23:57 testvm-2 sudo: pam_unix(sudo:auth): auth could not identify password for [XXXX]
Mar 19 15:23:57 testvm-2 sshd[647]: pam_unix(sshd:session): session closed for user XXXX

And I get these generated email alert

Mar 19 15:23:53 : XXXX : 3 incorrect password attempts ; TTY=unknown ; PWD=/home/XXXX ; USER=root ; COMMAND=/usr/bin/id -u

I've played with the Defaults entry in my /etc/sudoers file.

!requiretty doesn't resolve the problem
visualpw just hangs

Any help?

Thanks.
basictheprogram
Influencer
 
Posts: 10
Liked: 2 times
Joined: Sat Mar 14, 2015 7:23 pm
Full Name: Bob Tanner

Re: [ID# 00845880] Failed to run command with sudo

Veeam Logoby basictheprogram » Thu Mar 19, 2015 8:34 pm

Typo.
visiblepw just hangs.
basictheprogram
Influencer
 
Posts: 10
Liked: 2 times
Joined: Sat Mar 14, 2015 7:23 pm
Full Name: Bob Tanner

Re: [ID# 00845880] Failed to run command with sudo

Veeam Logoby basictheprogram » Thu Mar 19, 2015 8:48 pm

Can demonstrate this problem like this:

$ ssh XXXX@testvm.local "sudo /usr/bin/id -u"
XXXX@testvm.local's password:
sudo: no tty present and no askpass program specified

And a workaround on the command line line this:

$ ssh -t XXXX@testvm.local "sudo /usr/bin/id -u"
XXXX@testvm.local's password:
[sudo] password for XXXX:
0
basictheprogram
Influencer
 
Posts: 10
Liked: 2 times
Joined: Sat Mar 14, 2015 7:23 pm
Full Name: Bob Tanner

Re: [ID# 00845880] Failed to run command with sudo

Veeam Logoby tsightler » Thu Mar 19, 2015 10:37 pm 1 person likes this post

Do you have something like the below in your sudoers file:
Code: Select all
Defaults requiretty

This line causes sudo to require a tty. I didn't realize this was a common default in Ubuntu, and I don't see it on any of the Ubuntu systems I have access to. Any chance it came from a security policy?

If you are not providing a root account for indexing then you could potentially override this requirement for the user you are using. Of the top of my head it's something like:
Code: Select all
Defaults:veeamuser        !requiretty
tsightler
Veeam Software
 
Posts: 4874
Liked: 1821 times
Joined: Fri Jun 05, 2009 12:57 pm
Full Name: Tom Sightler

Re: [ID# 00845880] Failed to run command with sudo

Veeam Logoby basictheprogram » Thu Mar 19, 2015 11:21 pm

$ sudo -l
Matching Defaults entries for XXXX on dns-2:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
!requiretty

User XXXX may run the following commands on dns-2:
(ALL) ALL

Still get the same error message.
basictheprogram
Influencer
 
Posts: 10
Liked: 2 times
Joined: Sat Mar 14, 2015 7:23 pm
Full Name: Bob Tanner

Re: [ID# 00845880] Failed to run command with sudo

Veeam Logoby tsightler » Fri Mar 20, 2015 1:34 am

Hmm...I can't explain that. Here's the same basic command line test on one of my Ubuntu 14.04 systems:
Code: Select all
$ ssh XXXX@ubuntu01 "sudo /usr/bin/id -u"
XXXX@ubunto01's password:
[sudo] password for XXXX:
0

This is a pretty basic Ubuntu 14.04 server install, nothing much customized. I even tried using ssh -T which forces SSH to NOT allocate a psuedo-tty and it still works. Feels like there has to be something different with the environment settings or sudoers since sudo is the one complaining even for you ssh command line test but unfortunately I can't think of what it might be. I know it's somewhat security sensitive but is there any chance you could post your sudoers settings or at least PM them to me to test? I certainly understand if not but I don't know exactly where to go from here.
tsightler
Veeam Software
 
Posts: 4874
Liked: 1821 times
Joined: Fri Jun 05, 2009 12:57 pm
Full Name: Tom Sightler

Re: [ID# 00845880] Failed to run command with sudo

Veeam Logoby basictheprogram » Fri Mar 20, 2015 3:58 am

As far as I know stock sudoers file.

Just the README in /etc/sudoers.d

The veeam backup user is in the %admin group.

Code: Select all
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults   env_reset
Defaults   mail_badpass
Defaults   secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root   ALL=(ALL:ALL) ALL

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command
#%sudo   ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d
basictheprogram
Influencer
 
Posts: 10
Liked: 2 times
Joined: Sat Mar 14, 2015 7:23 pm
Full Name: Bob Tanner

Re: [ID# 00845880] Failed to run command with sudo

Veeam Logoby veenski » Fri Apr 17, 2015 5:55 am

Did you manage to fix this?
I have the exact same issue
veenski
Lurker
 
Posts: 2
Liked: 2 times
Joined: Fri Apr 17, 2015 5:53 am
Full Name: Maarten

Re: [ID# 00845880] Failed to run command with sudo

Veeam Logoby veenski » Fri Apr 17, 2015 11:52 am 2 people like this post

The reason for this error is that Linux wants to prompt for the sudo password on the remote host but doesn't have a tty to show you one.
You can bypass this by not letting it ask for a password at all.

first I created a new backup user
Code: Select all
sudo adduser backupuser


then add it to sudo group
Code: Select all
sudo adduser backupuser sudo


then edit the sudoers file
Code: Select all
sudo visudo


add the following line at the bottom
Code: Select all
backupuser ALL=(ALL) NOPASSWD: ALL



in the veeam create a new credential
username:backupuser
password:wellwhatyathink

put a tack at: Elevate specified user to root

Safer would be to replace the
backupuser ALL=(ALL) NOPASSWD: ALL
backupuser YOURVEEAMHOSTNAME=(root) NOPASSWD: 'what ever command it is veeam runs to index the filesystem'

But I wouldn't know what that command would be.
veenski
Lurker
 
Posts: 2
Liked: 2 times
Joined: Fri Apr 17, 2015 5:53 am
Full Name: Maarten

Re: [ID# 00845880] Failed to run command with sudo

Veeam Logoby ChrisCal » Wed Dec 02, 2015 6:42 pm 1 person likes this post

I realize this is a very old thread but here's what I added to my sudoers file to get this to work reliably:
Code: Select all
USERNAMEOFSSHUSER ALL=(root) NOPASSWD: /bin/uname
USERNAMEOFSSHUSER ALL=(root) NOPASSWD: /usr/bin/scp
USERNAMEOFSSHUSER ALL=(root) NOPASSWD: /bin/arch
USERNAMEOFSSHUSER ALL=(root) NOPASSWD: /bin/mount
USERNAMEOFSSHUSER ALL=(root) NOPASSWD: /usr/bin/sh
USERNAMEOFSSHUSER ALL=(root) NOPASSWD: /bin/rm
USERNAMEOFSSHUSER ALL=(root) NOPASSWD: /tmp/*
ChrisCal
Lurker
 
Posts: 1
Liked: 1 time
Joined: Sun Oct 06, 2013 6:12 pm
Full Name: ChrisG

Re: [ID# 00845880] Failed to run command with sudo

Veeam Logoby jgh » Wed Mar 16, 2016 9:56 pm

Please delete this post. I don't know why I am unable to do this.

Thank you.
jgh
Novice
 
Posts: 6
Liked: never
Joined: Thu Mar 10, 2016 11:10 pm

Re: [ID# 00845880] Failed to run command with sudo

Veeam Logoby jgh » Wed Mar 16, 2016 9:57 pm

ChrisCal wrote:I realize this is a very old thread but here's what I added to my sudoers file to get this to work reliably:
Code: Select all
USERNAMEOFSSHUSER ALL=(root) NOPASSWD: /bin/uname
USERNAMEOFSSHUSER ALL=(root) NOPASSWD: /usr/bin/scp
USERNAMEOFSSHUSER ALL=(root) NOPASSWD: /bin/arch
USERNAMEOFSSHUSER ALL=(root) NOPASSWD: /bin/mount
USERNAMEOFSSHUSER ALL=(root) NOPASSWD: /usr/bin/sh
USERNAMEOFSSHUSER ALL=(root) NOPASSWD: /bin/rm
USERNAMEOFSSHUSER ALL=(root) NOPASSWD: /tmp/*


Thanks for the command-set for sudo. This definitely helped me to at least get a better grip on what was required for veeam using sudo facilities to interact when restoring. All of this aside, I would like to see if you have a more secure approach. The bits that allow /bin/rm and /tmp/* are of concern.

I have opened case 01732540 with Veeam to see if I could get clarification on more specific details, as their current sudo directives are wildly insecure.

Thanks!
-jgh
jgh
Novice
 
Posts: 6
Liked: never
Joined: Thu Mar 10, 2016 11:10 pm

Re: [ID# 00845880] Failed to run command with sudo

Veeam Logoby jeffshead » Sun Apr 02, 2017 5:19 pm

jgh wrote:I have opened case 01732540 with Veeam to see if I could get clarification on more specific details, as their current sudo directives are wildly insecure.

Thanks!
-jgh


@jgh - Did Support provide you with a better approach?

Sorry for resurrecting an old thread but this was the only one I found that describes the same issue I'm encountering with Zorin OS.

Cheers,

Jeff
jeffshead
Novice
 
Posts: 4
Liked: never
Joined: Thu May 05, 2016 1:07 pm
Full Name: Jeff


Return to VMware vSphere



Who is online

Users browsing this forum: No registered users and 1 guest