Problems with ssh connection for a remote assessment
Product Name
CIS-CAT Pro Assessor v4
Product Version
all
Date
Jan 20, 2021
Problem
The remote assessment ssh connection will be successful but commands will error out.
There will be errors in assessor-cli.log - sudo: no tty present and no askpass program specified
Solution
The problem is caused by a setting on the target system in /etc/sudoers - Defaults requiretty
You can comment that line out or, disable it for the sudo user that is defined in CISCAT sessions.properties.
In this example, carlos is the user configured for the ssh remote assessment. So we can add this additional line to /etc/sudoers which will disable requiretty for sudo user carlos;
Defaults:carlos !requiretty
Note that if you are using a key to connect to the target it is possible that a password is required for the user to use sudo on the target system.
If you are using a key there are 2 possible solutions.
Change /etc/sudoers on the target so a password is not needed to sudo for that specific user. If the user is carlos then the entry in /etc/sudoers will be;
carlos ALL=(root) NOPASSWD:ALL
Or, you will need to add the sudo password to config/sessions.properties. In the example below the session.2.cred section of sessions.properties has the password required for sudo. You can then encrypt the contents of sessions.properties so that password is hidden. Please see this section of the documentation for information on encrypting and decrypting that file.
session.2.type=ssh
session.2.host=10.1.43.55
session.2.user=carlos
session.2.identity=C:\\carlos\\CISCAT\\ciscat.ppk
session.2.cred=password_for_sudo
session.2.port=22
The ssh key needs to be in PEM format i.e. the header of your key file will be;
-----BEGIN RSA PRIVATE KEY-----
Related Content