#264 sudo with key-based auth


Hello ~ I am using Firewall Builder 5.1 build and trying to deploy a very simple test firewall to a vm running a fresh debian wheezy install as a non-root user (but with sudo privileges).

I have configured the deploy directory: target_machine:/etc/fw/ and the sample ssh single interface template ruleset compiles and is successfully scp'ed to the firewall using key-based auth (password auth is disabled as it is on all our production servers).

The install fails with the below error, and there appears to be nowhere for me to tell the installer the password for sudo, so sudo fails, and the install aborts. Apologies if I have missed this somewhere.

So the issue:
How do I set up key-based auth deployment while also requiring a password for sudo? If I understand sentence #2 of this correctly it is possible...

Here is the relevant fwbuilder log:

* Running as user : XXXXXXX
* Firewall name : debian-test
* Installer uses user name : XXXXXXX
* Management address : xxx.xxx.xxx.xxx
* Platform : iptables
* Host OS : linux24
* Loading configuration from file /home/xxxxx/xxxxxxxxx/fwbuilder-rules/debian-test.fwb

Installation plan:
Copy file: /home/xxxxxxx/xxxx/fwbuilder-rules/debian-test.fw --> /etc/fw/debian-test.fw
Run script echo '--**--**--'; chmod +x /etc/fw/debian-test.fw; sudo -S /etc/fw/debian-test.fw && echo 'Policy activated'

Copying /home/xxxxxxx/xxxx/fwbuilder-rules/debian-test.fw -> xxx.xxx.xxx.xxx:/etc/fw/debian-test.fw
Running command '/usr/bin/fwbuilder -Y scp -o ConnectTimeout=30 -q /home/xxxxxxx/xxxx/fwbuilder-rules/debian-test.fw aaaaa@xxx.xxx.xxx.xxx:/etc/fw/debian-test.fw'
Firewall Builder GUI
SSH session terminated, exit status: 0
Running command '/usr/bin/fwbuilder -X ssh -o ServerAliveInterval=10 -t -t -v -l aaaaaaa xxx.xxx.xxx.xxx echo '--**--**--'; chmod +x /etc/fw/debian-test.fw; sudo -S /etc/fw/debian-test.fw && echo 'Policy activated''
Firewall Builder GUI
OpenSSH_6.0p1 Debian-4, OpenSSL 1.0.1e 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to xx.x.x.xxx [xx.x.x.xxx] port 22.
debug1: Connection established.
debug1: identity file /home/xxxxxxx/.ssh/id_rsa type -1
debug1: identity file /home/xxxxxxx/.ssh/id_rsa-cert type -1
debug1: identity file /home/xxxxxxx/.ssh/id_dsa type -1
debug1: identity file /home/xxxxxxx/.ssh/id_dsa-cert type -1
debug1: identity file /home/xxxxxxx/.ssh/id_ecdsa type -1
debug1: identity file /home/xxxxxxx/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.0p1 Debian-4
debug1: match: OpenSSH_6.0p1 Debian-4 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.0p1 Debian-4
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA b2:7d:24:f1:bd:f5:16:82:d4:ff:66:5d:7e:e8:b3:81
debug1: Host 'xx.x.x.xxx' is known and matches the ECDSA host key.
debug1: Found key in /home/xxxxxxx/.ssh/known_hosts:71
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/xxxxxxx/.ssh/xxxxxxx_xx_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 277
debug1: Authentication succeeded (publickey).
Authenticated to xxx.xxx.xxx.xxx ([xxx.xxx.xxx.xxx]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending command: echo '--**--**--'; chmod +x /etc/fw/debian-test.fw; sudo -S /etc/fw/debian-test.fw && echo 'Policy activated'
[sudo] password for xxxxxxx:
Sorry, try again.
*** Fatal error :
Sorry, try again.
Firewall policy installation failed
[sudo] password for xxxxxxx:
Sorry, try again.
*** Fatal error :
Sorry, try again.
[sudo] password for xxxxxxx:

Thank you in advance for any advice!


Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

No, thanks