Managing servers with built-in tools
|
Cluster SSH
Cluster SSH [2] also offers the possibility of working on multiple computers simultaneously. The invocation is made via cssh <host1> <host2> … . A small text entry window then opens (Figure 2) where you can enter the desired command. A terminal window will also open for each computer. Cssh will transfer the entry character by character from the entry window to the individual devices, even when you have mistyped and then used the backspace to correct the error. You will be able to see how this works on the individual terminals. Then, you can follow the output of the commands on the individual hosts once the return key is pressed.
Figure 2: The text entry window for Cluster SSH.
To execute a separate command on one of the computers, you should shift the focus to its terminal. There you should modify the command as necessary before you press the return key in the Cssh window to execute the command on all computers.
If desired, you can define the computers in the cluster in a configuration file (/etc/clusters or ~/.clusterssh/clusters ). This is similar to what you can do in Pssh. The definition here proceeds by assigning a name and then lists the computers that belong to this class. The computer name assigned in Listing 4 is webserver . When you call cssh, you can call this class instead of the names of the individual computers [3]. The Cluster SSH package includes both cssh and crsh for RSH and also ctel for Telnet. Neither protocol offers encryption, and they are therefore considered irrelevant nowadays.
Listing 4
Webserver
webserver root@www1.example.com root@www2.example.com root@www3.example.com
Limitations
When logins are made without a password, you should figure out for security reasons how to restrict command execution to only those tasks which are the most important. This would include things like triggering backups, indicating currently running processes, or restarting the server. SSH makes these types of restrictions possible via so-called forced commands. It then always executes a particular command at login.
When the key gets copied onto the server, it lands in the ~/.ssh/authorized_keys file. The corresponding line begins with ssh-rsa . RSA stands for encryption method being used. Next comes a jumble of characters that form your public key, and an optional comment. If you do not specify anything else, then this comment consists of the <User>@<Host> for the computer on which you have created the key. You can enter a forced command as needed at the beginning of the line.
command="ps -ef" ssh-rsa AAB3NzaC1yc..
In this example, the ps -ef command for indicating running processes always starts after login with the key. This is true even if you have given a different command to ssh. This could be changed to something like initiating a backup, restarting a service, or rebooting the server. Because you can create arbitrarily many keys, it is possible to use a different key for each task together with the accompanying forced command.
All of this can be simplified. SSH assigns to the variable $SSH_ORIGINAL_COMMAND the command that you indicated. This is called whitelisting a command. It is done by applying the shell script in Listing 5, which you save on the server for use as a forced command. Then, the available disk memory can be determined via ssh -i ~/.ssh/mysshkey server.example.com df . In the same vein, the currently executing processes can be determined via … ps , and the available main memory via … free .
Listing 5
Whitelisting
#!/bin/sh case $SSH_ORIGINAL_COMMAND in "df") df -h ;; "ps") ps -ef ;; "free") free ;; *) echo "Illegal command." exit 1 ;; esac
Although this is a good idea, it can be abused. (See the "Tricky Aspects of Forced Commands" box.) It is possible to restrict the list of computers for which the key can be used as a login via the from="…" option.
from="*.example.org,!chef. example.org" ssh-rsa ...
This key can be used to log into each computer under example.org , but not from the chef computer thanks to the negation indicated by the exclamation mark.
Tricky Aspects of Forced Commands
You will need to make absolutely sure that a forced command actually does only what you intend it to. If, for example, you permit a hypothetical FTP administrator to modify the vsftpd server (command="vi /etc/vsftpd.conf" ) with the vi editor, then you will have opened the floodgates. This capability would let the FTP administrator randomly read in other files (:r /etc/passwd ) and, depending on the rights, also write them. Even worse, vi makes it possible to start other commands via the :!<command> capability. Thus, it would have been better to avoid the forced command altogether.
One final step may be to turn off various capabilities of ssh. The protocol offers exciting options such as X11 and port forwarding. You should deactivate these curiosities if they are not absolutely necessary. Otherwise, an interloper can gain access to certain services via port forwarding. The corresponding options are summarized in Table 1. More detailed information is available on the manpage of the ssh daemon (man sshd ).
Table 1
Turning Off SSH Functions
| Option | Function |
|---|---|
| no-pty | Prevents the creation of pseudoterminals* |
| no-port-forwarding | Prevents port forwarding via SSH |
| no-x11-forwarding | Prevents the redirect of graphics programs from remote computers |
| no-agent-forwarding | Prevents the redirect of information of the SSH agent |
| *Pseudoterminals are interactive programs, such as an editor, request a pseudoterminal (pty ) for establishing communication with the user. Nowadays, this is connected to a device file under /dev/pts/ and the terminal is being simulated. This has given rise to the use of the prefix pseudo . Previously, an actual text terminal was involved, such as a VT100 or VT220. These connected via serial ports (RS-232) to the Unix hosts, and communicated with them via /dev/ttyS0 or /dev/ttyS1 . |
« Previous 1 2 3 Next »
Buy this article as PDF
Pages: 5
(incl. VAT)
Buy Ubuntu User
US / Canada
UK / Australia
Related content
-
Accelerated command processing with GNU Parallel
With the snazzy little program GNU Parallel, you can make use of the full power of your multicore CPUs through scripts.
-
Integrating network storage through the file manager
Web hosting providers usually give you FTP access when you need to upload data to their online storage. On Linux, a file manager is all you need to access network storage.
-
Comparing Windows PowerShell and Bash
Bash and PowerShell are related, but as in all large families, the branches of the tree often take on different forms.]
-
Convenient private cloud with Seafile
After the Prism and Tempora revelations, the writing's on the wall: Your data stored on public clouds isn't safe from the clutches of security agencies. Help can come only from a self-administered solution – yet Seafile provides a simple and ingenious approach.
-
User accounts with OpenLDAP's central administration
If you have multiple users logging into different computers or applications, the LDAP directory service can accommodate your needs