Problems with ssh connection for a remote assessment


Product Name

CIS-CAT Pro Assessor v4

Product Version

all

Date

Jan 20, 2021



 

Problem

The remote assessment ssh connection will be successful but commands will error out.

There will be errors in assessor-cli.log - sudo: no tty present and no askpass program specified

 

Solution

The problem is caused by a setting on the target system in /etc/sudoers -  Defaults requiretty

You can comment that line out or, disable it for the sudo user that is defined in CISCAT sessions.properties.

In this example, carlos is the user configured for the ssh remote assessment. So we can add this additional line to /etc/sudoers which will disable requiretty for sudo user carlos;

 Defaults:carlos !requiretty

Note that if you are using a key to connect to the target it is possible that a password is required for the user to use sudo on the target system.

If you are using a key there are 2 possible solutions.

  1. Change /etc/sudoers on the target so a password is not needed to sudo for that specific user. If the user is carlos then the entry in /etc/sudoers will be; carlos ALL=(root) NOPASSWD:ALL

  2. Or, you will need to add the sudo password to config/sessions.properties. In the example below the session.2.cred section of sessions.properties has the password required for sudo. You can then encrypt the contents of sessions.properties so that password is hidden. Please see this section of the documentation for information on encrypting and decrypting that file.

session.2.type=ssh
session.2.host=10.1.43.55
session.2.user=carlos
session.2.identity=C:\\carlos\\CISCAT\\ciscat.ppk
session.2.cred=password_for_sudo
session.2.port=22

The ssh key needs to be in PEM format i.e. the header of your key file will be;

-----BEGIN RSA PRIVATE KEY-----

 

Related Content


Copyright © 2020

Center for Internet Security®