Why do I need a tty to run sudo if I can sudo without a password?
That's probably because your /etc/sudoers
file (or any file it includes) has:
Defaults requiretty
...which makes sudo
require a TTY. Red Hat systems (RHEL, Fedora...) have been known to require a TTY in default sudoers
file. That provides no real security benefit and can be safely removed.
Red Hat have acknowledged the problem and it will be removed in future releases.
If changing the configuration of the server is not an option, as a work-around for that mis-configuration, you could use the -t
or -tt
options to ssh
which spawns a pseudo-terminal on the remote side, but beware that it has a number of side effects.
-tt
is meant for interactive use. It puts the local terminal in raw
mode so that you interact with the remote terminal. That means that if ssh
I/O is not from/to a terminal, that will have side effects. For instance, all the input will be echoed back, special terminal characters (^?
, ^C
, ^U
) will cause special processing; on output, LF
s will be converted to CRLF
s... (see this answer to Why is this binary file being changed? for more details.
To minimise the impact, you could invoke it as:
ssh -tt host 'stty raw -echo; sudo ...' < <(cat)
The < <(cat)
will avoid the setting of the local terminal (if any) in raw
mode. And we're using stty raw -echo
to set the line discipline of the remote terminal as pass through (effectively so it behaves like the pipe that would be used instead of a pseudo-terminal without -tt
, though that only applies after that command is run, so you need to delay sending something for input until that happens).
Note that since the output of the remote command will go to a terminal, that will still affect its buffering (which will be line-based for many applications) and bandwidth efficiency since TCP_NODELAY
is on. Also with -tt
, ssh
sets the IPQoS to lowdelay
as opposed to throughput
. You could work around both with:
ssh -o IPQoS=throughput -tt host 'stty raw -echo; sudo cmd | cat' < <(cat)
Also, note that it means the remote command cannot detect end-of-file on its stdin and the stdout and stderr of the remote command are merged into a single stream.
So, not so good a work around after all.
If you've a got a way to spawn a pseudo-terminal on the remote host (like with expect
, zsh
, socat
, perl
's IO::Pty
...), then it would be better to use that to create the pseudo-terminal to attach sudo
to (but not for I/O), and use ssh
without -t
.
For example, with expect
:
ssh host 'expect -c "spawn -noecho sh -c {
exec sudo cmd >&4 2>&5 <&6 4>&- 5>&- 6<&-}
exit [lindex [wait] 3]" 4>&1 5>&2 6<&0'
Or with script
(here assuming the implementation from util-linux
):
ssh host 'SHELL=/bin/sh script -qec "
sudo cmd <&3 >&4 2>&5 3<&- 4>&- 5>&-
" /dev/null 3<&0 4>&1 5>&2'
(assuming (for both) that the login shell of the remote user is Bourne-like).
By default, SUDO is configured to require a TTY. That is, SUDO is expected to be run from a login shell. You can defeat this requirement by adding the -t
switch to your SSH invocation:
ssh -t someserver sudo somecommand
The -t
forces allocation of a pseudo-tty.
If you want to perform this globally, modify /etc/sudoers
to specify !requiretty
. This can be done a a per user, per group or all-encompassing level.
Use the -t
flag to ssh
to force tty allocation.
$ ssh luci tty
not a tty
$ ssh luci -t tty
/dev/ttys003
$