Managing servers with built-in tools

Slashdot it! Delicious Share on Facebook Tweet! Digg!
Tatiana Popova, 123RF

Tatiana Popova, 123RF

Remote Control

Managing multiple computers can often be accomplished just by using SSH, etc. You don't necessarily need to have a big, complex solution like Puppet or Cfengine.

Frequently, administrators need to take care of several servers and clients that have a similar configuration, such as in a company, an Internet café, or the IT laboratory for a school. Although tools such as Puppet and Cfengine make the work easy, they also have steep learning curves. Therefore, it can be easier to rely on built-in tools when dealing with smaller installations.

SSH is a standard tool for administering remote computers. The secure shell makes secure login over a network possible so that necessary modifications can be done on the remote server followed by restarts for the affected services. This works well with just one remote computer, but when several are involved, the process becomes tedious.

Entering a password is the first issue to address in the multiple computer scenario. If you have to log in on multiple computers to make modifications, then is there a way to do this without typing in the password for each computer? Regular and automatic backups also have to run even though the administrator has taken a vacation or has gone to bed for the night. What are the possible solutions for these and other concerns?

SSH Login Without a Password

SSH normally expects password entry via a keyboard. There is no command-line option for this action. Actually, this is a positive state of affairs. Otherwise, any user could look at all current processes including the command-line parameters via ps ax . This would in turn allow a user to read the password belonging to other users in plain text.

SSH offers the public key encryption method for logins without a password. The user then needs to know the login name along with the corresponding password, plus have a private key that matches the public key on the server.

Listing 1 shows how to create a key pair. The -N "" option lets you indicate that you do not want to use a passphrase. This will save a keyboard entry. SSH keygen creates two files. These include the private key, which should remain secret, in the mysshkey file, and the public key in the mysshkey.pub file. The latter has to be on the server(s) where you will log on with your private key (see the "Password Tips" box for more).

Listing 1

Create a Key Pair

$ cd ~/.ssh
$ ssh-keygen -N "" -f mysshkey
Generating public/private rsa key pair.
Your identification has been saved in mysshkey.
Your public key has been saved in mysshkey.pub.
The key fingerprint is:
a6:d2:c5:e9:5b:80:10:a0:a6:ef:d5:6a:3d:03:df:d0 user@hostname
The key's randomart image is:
+--[ RSA 2048]----+
|  ...            |
| .   .           |
|..  .            |
|o    . o .       |
|.     ..S        |
| .  .o.=E.       |
|  . o++o. .      |
| . ..o= .o       |
|  ...  o.        |
+-----------------+
$ ssh-copy-id -i mysshkey.pub user@myserver
Password:
Now try logging into the machine, with "ssh 'user@myserver'", and check in:
 .ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.

Password Tips

On the one hand, you want to avoid having to enter a password. On the other hand, this can be used together with key entry for making the log in more secure. To set this up, you should not enter the -N "" option when calling the ssh-keygen command. The tool will then ask for a passphrase to use as additional protection for the key. This means you will need your user name, a key, and also the passphrase for added level of security. It is possible to save the passphrase via the ssh-agent program to avoid typing in the password each time. This may be more convenient, but it still does not automate the tasks completely.

The ssh-copy-id (line 20) command performs the key transfer once you log in one more time using a password. For the first log in, you will also need to respond when the system asks whether the fingerprint for the remote computer is trusted (see the "Identity Check" box). The login will work from then on without a password when the following command is issued:

$ ssh -i ~/.ssh/mysshkey user@myserver

Identity Check

If you have already used SSH, you will recognize the request for authenticity of the client computer during the first log in (Listing 2). Typically, you would simply answer yes and then log in with user name and password. But, why do you have to do this at all?

The connection between your computer and the server is built by applying SSH in conjunction with various WiFi networks, routers, and providers. As a result, it could be the case that there is an unknown server at the other end of the connection which reads and saves your login data. Therefore, SSH checks the fingerprint of the opposite device when the connection is created. This involves a hash using the private key for the SSH server that was created during installation. This is a quasi ID for the server.

To be sure that the connection is made with the correct machine, you should first check the fingerprint for the machine. As soon as you confirm that the machine is the one you want by answering yes , SSH will save this ID and use it in the future to automatically compare attempts to connect. If the comparison fails, the program issues a warning.

If you receive a warning of this type, you should proceed carefully. Maybe what has happened is that the server has been reinstalled and the key therefore changed. Potentially, there could be a server lurking at the other end of the line just waiting to attack and grab your access data. Thus, it is important to figure out why you got the warning message.

Listing 2

First Login

$ ssh www.example.com
The authenticity of host 'www.example.com (192.0.2.1)' can't be established.
ECDSA key fingerprint is ad:57:60:2b:53:c5:08:07:8b:b3:26:87:1d:2d:5a:b5.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'www.example.com' (ECDSA) to the list of known hosts.
Password:
Last login: Sat Sep 12 14:41:29 2015 from otherhost.example.com
Have a lot of fun...

What is the best way to automate tasks? The easiest option is to use a simple for loop in the shell as shown in Listing 3. In this listing, the COMMAND variable, when executed, installs the pssh package on computers ranging from host1 to host4 by using the Debian/Ubuntu apt tool. In the process, the apt option -y avoids queries.

Listing 3

For Loop Automation

HOSTS="host1 host2 host3 host4"
COMMAND="apt-get -y install pssh"
for i in $HOSTS ; do
 ssh -o ConnectTimeout=10 -i ~/.ssh/mysshkey $i -c "$COMMAND"
done

SSH itself interrupts the unproductive connection attempts after 10 seconds (-o ConnectTimeout=10 ), when it cannot reach an opposite computer. It then continues on to connecting with the next computer. In the absence of this precautionary measure, the for loop would get hung up and not proceed to work on the other computers. This type of loop offers a very practical solution, but there are more sophisticated methods available. One of these is hidden inside the pssh package that was installed in the example.

Parallel SSH

The pssh program makes it possible to execute ssh commands on several computers in parallel [1]. To do this, you will need to have a running SSH server on the clients, and pssh needs to be installed on the control server . In effect, the example above, in which pssh was installed on all servers, was unnecessarily complicated.

Figure 1 shows a parallel ssh session initiated by pssh. First, you need to create a file, which contains a list of computers to be used. I have called this file hostfile in the example. It contains a host name on each line, optionally with accompanying user name and port in the form of <User>@<Host>:<Port> .

Figure 1: Parallel SSH sessions can be started via pssh.

Then, you start the parallel login on the indicated host computers via the following command:

$ pssh -i -x "-i ~/.ssh/mysshkey"   -t 10 -h hostfile command

The -i option indicates that output should be sent to the terminal. Alternatively, you could pipe output into files, one per target computer. The -t 10 option indicates a timeout of 10 seconds. The -x parameter in turn has as its value an option that will be forwarded to ssh. In the example, this is "-i ~/.ssh/mysshkey" , which indicates usage of the ssh key.

The login on localhost worked fine in Figure 1. In this example, I did not accept the SSH hostkey nor an account for http://www.linuxuser.de. Therefore, the login there won't work. The timeout interrupts the login to http://www.google.at. As expected, there is not publicly available SSH server there.

The pssh package includes pscp and prsync in addition to the pssh tool, which is used to execute SSH commands on multiple computers simultaneously. All of these tools are used to copy files onto multiple computers with scp and rsync .

Buy this article as PDF

Express-Checkout as PDF

Pages: 5

Price $0.99
(incl. VAT)

Buy Ubuntu User

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content