I have a Victron Cerbo GX with Venus OS and a node-red v3.1.10 instance is running there. Node-red itself works fine, but I have a problem that I lost remote access to the device via ssh. Access is only from the local network, but now I'm far away and unfortunately I don't have the ability to log in from the local network. Node-red is started by the nodered user and I need root access. I know the root password, I have access to the device console etc.
I could modify rc.local to start VPN and restore access. I'm trying to run various commands in the exec node, but everything works for the nodered user, using sudo requires entering the password from the terminal and this can't be done in the node, and ASK_SUDO and then sudo -A doesn't work in the exec node although I know it works on Venus OS itself (I checked on another device with the same configuration).
Does anyone have an idea how to run commands in the exec node as root?
A better idea, avoiding using your password in plain text in the flows file, is to use sudo your_command in the exec node, and, in a command window, run sudo visudo to allow the node red user to run that command with sudo without having to enter a password.
So, for example, to allow the use of sudo shutdown in an exec node, for the user nodered, use sudo visudo and add
@dynamicdave and @jbudd
Passing the password this way does not work on my Node-red instance. I tried a few other methods and they don't work in Node-red either.
@Colin
Modifying sudoers is possible for root via ssh, but I don't have that access and I want to get it. I'll do it when I get access
I spent quite a bit of time trying different ways to get around the limitations of VenusOS on a Cerbo GX using Node-red - mostly to try and regain access or run privileged commands directly from a flow. And turns out not much luck
Even though echo 'password' | sudo -S ... works fine in a terminal, it doesn’t behave the same in a node-red exec node. Looks like stdin doesn’t get passed to sudo properly in that context.
VenusOS comes with a super minimal version of sudo, no support for sudo_askpass (checked with sudo -V, nothing mentioned) and requires tty for password input, which node-red obviously doesn’t have.
I tried all the usual tricks (echo + sudo, askpass, custom scripts) but it always ends up failing or just silently doing nothing. So yeah, its not really possible to elevate privileges through ode-red alone on this system.
Guess I’ll need to find someone local to connetc into the Cerbo and fix things manually.
No idea if it will work on a Victron but on a Raspberry Pi it allows me to do eg sudo nano /etc/hosts, prompting for the password.
I had to change the terminal settings to just 20 rows so I could see what I was editing.
I think a client who had prohibited access via ssh might take a dim view of me subverting it like this, but you may find it useful in an emergency.
I asked around in few more places and one guy on the Victron forum gave me an idea and following that path I was able to solve the problem. This is rather a temporary solution but it seems pretty cool to me. You don't have to store any passwords written in plain text in the nodes, just ssh keys.
As you can see from previous posts, Venus OS on Cerbo GX as a minimalist distribution has a lot of limitations, and not all solutions known from, for example, Raspberry PI will work here. I’ll leave a quick summary here for the community in case someone runs into the same/simillar issue.
The solution was to use Node-Red’s exec node to create a reverse SSH tunnel from the Cerbo GX to a VPS with a public IP.
Here’s what I did:
Generated SSH keys directly from Node-Red (so for user nodered) with exec node:
Copied the public key id_rsa.pub (just "cat" it with exec node to debug) and added it to the ~/.ssh/authorized_keys file of a remote VPS user. Make sure permissions are correct:
chmod 700 ~/.ssh chmod 600 ~/.ssh/authorized_keys
Created the reverse SSH tunnel from Venus OS to the VPS with exec node:
Then, log in with the root password. It can be set remotely in the Remote Console via the VRM Portal:
Settings → General → Set root password
With this method I was able to fully regain control of the system as root using only Node-Red and a VPS as a tunnel relay over the Internet, no need for local SSH access.
Hopefully, this helps someone else in a similar situation!