Managing servers with built-in tools

Slashdot it! Delicious Share on Facebook Tweet! Digg!

Cluster SSH

Cluster SSH [2] also offers the possibility of working on multiple computers simultaneously. The invocation is made via cssh <host1> <host2> … . A small text entry window then opens (Figure 2) where you can enter the desired command. A terminal window will also open for each computer. Cssh will transfer the entry character by character from the entry window to the individual devices, even when you have mistyped and then used the backspace to correct the error. You will be able to see how this works on the individual terminals. Then, you can follow the output of the commands on the individual hosts once the return key is pressed.

Figure 2: The text entry window for Cluster SSH.

To execute a separate command on one of the computers, you should shift the focus to its terminal. There you should modify the command as necessary before you press the return key in the Cssh window to execute the command on all computers.

If desired, you can define the computers in the cluster in a configuration file (/etc/clusters or ~/.clusterssh/clusters ). This is similar to what you can do in Pssh. The definition here proceeds by assigning a name and then lists the computers that belong to this class. The computer name assigned in Listing 4 is webserver . When you call cssh, you can call this class instead of the names of the individual computers [3]. The Cluster SSH package includes both cssh and crsh for RSH and also ctel for Telnet. Neither protocol offers encryption, and they are therefore considered irrelevant nowadays.

Listing 4

Webserver

webserver root@www1.example.com root@www2.example.com root@www3.example.com

Limitations

When logins are made without a password, you should figure out for security reasons how to restrict command execution to only those tasks which are the most important. This would include things like triggering backups, indicating currently running processes, or restarting the server. SSH makes these types of restrictions possible via so-called forced commands. It then always executes a particular command at login.

When the key gets copied onto the server, it lands in the ~/.ssh/authorized_keys file. The corresponding line begins with ssh-rsa . RSA stands for encryption method being used. Next comes a jumble of characters that form your public key, and an optional comment. If you do not specify anything else, then this comment consists of the <User>@<Host> for the computer on which you have created the key. You can enter a forced command as needed at the beginning of the line.

command="ps -ef" ssh-rsa AAB3NzaC1yc..

In this example, the ps -ef command for indicating running processes always starts after login with the key. This is true even if you have given a different command to ssh. This could be changed to something like initiating a backup, restarting a service, or rebooting the server. Because you can create arbitrarily many keys, it is possible to use a different key for each task together with the accompanying forced command.

All of this can be simplified. SSH assigns to the variable $SSH_ORIGINAL_COMMAND the command that you indicated. This is called whitelisting a command. It is done by applying the shell script in Listing 5, which you save on the server for use as a forced command. Then, the available disk memory can be determined via ssh -i ~/.ssh/mysshkey server.example.com df . In the same vein, the currently executing processes can be determined via … ps , and the available main memory via … free .

Listing 5

Whitelisting

#!/bin/sh
case $SSH_ORIGINAL_COMMAND in
 "df")
 df -h
 ;;
 "ps")
 ps -ef
 ;;
 "free")
 free
 ;;
 *)
 echo "Illegal command."
 exit 1
 ;;
esac

Although this is a good idea, it can be abused. (See the "Tricky Aspects of Forced Commands" box.) It is possible to restrict the list of computers for which the key can be used as a login via the from="…" option.

from="*.example.org,!chef.  example.org" ssh-rsa ...

This key can be used to log into each computer under example.org , but not from the chef computer thanks to the negation indicated by the exclamation mark.

Tricky Aspects of Forced Commands

You will need to make absolutely sure that a forced command actually does only what you intend it to. If, for example, you permit a hypothetical FTP administrator to modify the vsftpd server (command="vi /etc/vsftpd.conf" ) with the vi editor, then you will have opened the floodgates. This capability would let the FTP administrator randomly read in other files (:r /etc/passwd ) and, depending on the rights, also write them. Even worse, vi makes it possible to start other commands via the :!<command> capability. Thus, it would have been better to avoid the forced command altogether.

One final step may be to turn off various capabilities of ssh. The protocol offers exciting options such as X11 and port forwarding. You should deactivate these curiosities if they are not absolutely necessary. Otherwise, an interloper can gain access to certain services via port forwarding. The corresponding options are summarized in Table 1. More detailed information is available on the manpage of the ssh daemon (man sshd ).

Table 1

Turning Off SSH Functions

Option Function
no-pty Prevents the creation of pseudoterminals*
no-port-forwarding Prevents port forwarding via SSH
no-x11-forwarding Prevents the redirect of graphics programs from remote computers
no-agent-forwarding Prevents the redirect of information of the SSH agent
*Pseudoterminals are interactive programs, such as an editor, request a pseudoterminal (pty ) for establishing communication with the user. Nowadays, this is connected to a device file under /dev/pts/ and the terminal is being simulated. This has given rise to the use of the prefix pseudo . Previously, an actual text terminal was involved, such as a VT100 or VT220. These connected via serial ports (RS-232) to the Unix hosts, and communicated with them via /dev/ttyS0 or /dev/ttyS1 .

Buy this article as PDF

Express-Checkout as PDF

Pages: 5

Price $0.99
(incl. VAT)

Buy Ubuntu User

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content