Ssh cookbook
-
Upload
jean-marie-renouard -
Category
Technology
-
view
1.825 -
download
5
description
Transcript of Ssh cookbook
SSH COOKBOOK V2A SSH TOOLS SUITE PRESENTATION
ENHANCED VERSIONCreated by / Jean-Marie Renouard @jmrenouard
http://www.jmrenouard.fr/
WHAT'S SSH ?SSH is a secure TCP communication protocol.SSH v2 is base standard in all distributions.SSH allows you to connect securely to server.SSH avoid attack such man in the middle.
SSH BASIC USAGEConnect to server REF01.mynetwork as osuser
$ ssh [email protected]
WHAT'S NEXT ?Password is asked.
Password is checked based on system.Input password is crypted.Result is compared with /etc/shadow information.
Comparaison failed : command fails, simple !
[email protected]'s password :
AND WHEN IT IS OK ...Comparaison successed SSH asks system for a new shell session.Shell session is based on /etc/passwd info.7th and last field of /etc/passwd is shell path.Default Welcome Message
Last login: Thu Mar 20 23:26:46 2014 from 192.168.X.X
Then, You've got a shell ( Bash for instance )A shell as a local shell remotely / securely !
SHELL IS GREATCtrl-d : Kill the connection immediately.Ctrl-l : Clean your screenCtrl-r : Search in bash history on the serverReadline powered.bash_history : command history.bash_profile and .bashrc for personal shell customisation(alias, functions, ...)
BORING ASPECT OF SSH
ONE CONNECTION MEANS ONE PASSWORD CHECK.Password typingNo human error probe
Ctrl-d, exit, kill -9 0, killall bash, ...Kill/terminate Shell session means :
All processes launched from Shell session are also killed.You JUST have to REconnect and REtype your password.REtype your command even if it's long time taking.
AVOIDING PASSWORD TYPINGThanks God, it is possible to connect without passord typing.It is as secure as password typing.Maybe more secure:
No password Excel File on networkNo Agile Access info Post-it on ScrumBoard :)
SSH KEY GENERATION
2 FILES MUST BE GENERATED1. Red key : .ssh/id_rsa is your Private SSH key
Keep it secret2. Blue key: .ssh/id_rsa.pub is your Public SSH key.
SSH KEY GENERATION COMMANDKey Generation Command:
Hey, it is asking me a F*** password !!!Leave it empty :)
ssh-keygen -t rsa
SSH KEY DEPLOYMENTPublic Key Deployment Command:
ssh-copy-id -i .ssh/id_rsa.pub [email protected]
It is asking a password for a last time ....
AND ALL IS OK ?On the server, .ssh/authorized_keys contains the content ofyour public key.Try to connect one again.
NO MORE PASSWORD ....Magic Simple, Easy and secure ....
IS IT ALL ?How to automate this process ?
Library Expect :library interacting with shell programmaticaly.You can script an interactive scenario.And you can execute it automatically.
BETTER THAN A SHELLYOU CAN ALSO REMOTELY EXECUTE A COMMAND.
Shutdown the server
Execute a remote python script
Know load average on REF01 server
ssh [email protected] shutdown -h now
ssh [email protected] \ "python remoteScript.py"
ssh [email protected] uptime
PERL EXPECT#!/usr/bin/perluse strict;use Expect;
my $timeout=1;my $command="ssh ".$ARGV[0]." ".$ARGV[2];my $exp = Expect->spawn($command) or die "Cannot spawn $command: $!\n";$exp->raw_pty(1);LOGIN:$exp->expect($timeout, [ 'ogin: $' => sub { $exp->send("luser\n"); exp_continue; } ], [ 'yes\/no\)\?\s*$' => sub { $exp->send("yes\n"); goto LOGIN; } ], [ 'assword:\s*$' => sub { $exp->send($ARGV[1]."\n"); exp_continue; } ], '-re', qr'[#>:] $');$exp->soft_close();
REMOTE EXECUTE A LOCAL SCRIPTPYTHON, BASH, PHP, RYBY, JAVA, ALL INTERPRETERS
Interpreter must be present on the remote server
Simple Python Script: hello.py
Remote execute script:ssh-exec
Usage
#!/usr/bin/pythonprint "Hello World !"
#!/bin/shINTERPRETER=$(head -n 1 $2 | sed -e 's/#!//')cat $2 | grep -v "#" | ssh -t $1 $INTERPRETER
ssh-exec [email protected] hello.py
FILE TRANSFERT OVER SSHUsing the input/output redirection.
Compressing on fly.
Compression by SSH himself.
cat myLocalFile | \ ssh [email protected] \ "cat > myRemoteFile"
cat myLocalFile | \ gzip | \ ssh [email protected] \ "gzip > myRemoteFile"
cat myLocalFile |\ ssh -C [email protected] \ "cat > myRemoteFile"
DIRECTORIES OVER SSHCommands using input/output for directorytar UNIX archiver command works with stdin and stdout
Better solutionA kind of cp based on SSHv2 protocol
Best solutionIncremental copy
tar -czf – myDir | \ ssh -C [email protected] \ "mkdir myDir;cd myDir ;tar -xzf -"
scp -rp mydir [email protected]:myDir
rsync -avz myDir [email protected]:myDir
MULTIPLE HOST COMMANDSSIMPLE SHELL LOOP ON 3 SERVERS
for host in server1 server2 server3; do echo "* Updating $host" ssh -C root@${host}.mynetwork "yum -y update"done
SIMPLE SHELL LOOP ON SERVER1 TO SERVER100for i in ̀seq 1 100̀; do host=server${i}.mynetwork echo "*Updating $host" ssh -C root@${host} "yum -y update"done
MULTIPLE HOST COMMANDS IN PARALLELFORKING SUBSHELLS IN LOOP ON SERVER1 TO SERVER100for i in ̀seq 1 100̀; do ( host=server${i}.mynetwork echo "*Updating $host" ssh -C root@${host} "yum -y update" 2>&1 >> ${host}.update.log echo "* Updating $host ..DONE" )&done
Output and Errors are stored in individual log file per host
MULTIPLE HOST COMMANDS IN PARALLELFORKING SUBSHELLS IN LOOP FROM A FILE
while read host; do ( echo "*Updating $host" ssh -C root@${host} "yum -y update" 2>&1 >> ${host}.update.log echo "* Updating $host ..DONE" )&done < "${1:-/proc/${$}/fd/0}"
Server are reading from a file or from stdinA file with one server name by lineOutput and Errors are stored in individual log file per host
PORT FORWARDINGOPEN A LOCAL PORT AND REDIRECT IT THROUGHT SSHssh -L2000:localhost:80 user@host1
Open a local port 2000 and redirect I/O to server port 80 onhost1ssh -L8080:host2:80 user@host1
Open a local port 8080 and redirect I/O to server port 80 onhost2Using SSH to host1 to access host2 server
REVERSE PORT FORWARDINGOPEN A REMOTE PORT ON SERVER AND REDIRECT IT
THROUGHT SSH TO CLIENTssh -R 2000:localhost:80 user@host1
Open a port 2000 on host1Redirect I/O ond this port to local port80
ssh -R 8080:host2:80 user@host1
Open a remote port 8080 on host1Redirect I/O to server host2 on port 80 from ssh client hostUsing SSH to host1 to access host2 server
USEFUL SCRIPTSssh-copy-id, included in openssh-clients in all distributionsssh-installkeys, ssh key installer
Fusefs, Filesystem over SSHMUSSH, Multihost SSHperl-Net-SSH-Expect, automate connection without ssh keysscanssh, scan hosts with SSHsshpass, password cracker for SSH
PROJECTS FOR MASSIVE REMOTE EXECUTIONAnsible in PythonChef in RubyRex in PerlRundeck in JavaEnvoy in PHPShunt in PHPSSHKitDO It in Ruby
PROJECTS FOR SSH MANAGEMENTGateOne, Web SSH clientStorm in Python, manage your SSH identitiesSSHRC, transport your config everywheregit deliver, deliver files from git and SSHSShuttle, the poor's man VPN Solution
STELLAR LINKSCode samples in Bash and Perlhttp://www.jmrenouard.frFollow me on Twitter
THE ENDBY JEAN-MARIE RENOUARD / JMRENOUARD.FR