Help Needed on a server configuration script

Hi All,

I am a newbie to shell scripting.

I would like to have a script
- which logs in remotely to a server(could be using telnet).
- It should not ask for a username/password to the user.
- It should execute the sever configuration utilities on the remote
server.

I have a RH Advanced Server,Advanced Workstation(2.1/3.0) and SuSE EL
3.0 Servers.

Please let me know how I can do that, or better still if you can give
me a sample script, it will be great!!!

Thanks in Advance,
Jitesh

Jitesh K Patil, Systems Engineer, Wipro Technologies. <jitesh.kpatil@wipro.com> wrote:

> I would like to have a script
> - which logs in remotely to a server(could be using telnet).
> - It should not ask for a username/password to the user.

You really want to be using ssh with keys (and ssh-agent). BTW, are you
needing root access?

> - It should execute the sever configuration utilities on the remote
> server.

Huh? All of them, some of them? Specified by user or what?

If you're wanting to run the same command on various machines, then I
suggest you look at dsh, or pconsole (which an associate has previously
recommended, and is suitable for interactive processes).

--
Cameron Kerr
cameron.kerr@paradise.net.nz : http://nzgeeks.org/cameron/
Empowered by Perl!

Cameron Kerr <cameron.kerr@paradise.net.nz> wrote in message news:<40066675@news.orcon.net.nz>...
> Jitesh K Patil, Systems Engineer, Wipro Technologies. <jitesh.kpatil@wipro.com> wrote:
>
> > I would like to have a script
> > - which logs in remotely to a server(could be using telnet).
^^^^^^^^^^^^^^^^^^^
You could be crazy.


> > - It should not ask for a username/password to the user.
>
> You really want to be using ssh with keys (and ssh-agent). BTW, are you
> needing root access?
>
> > - It should execute the sever configuration utilities on the remote
> > server.
>
> Huh? All of them, some of them? Specified by user or what?
>
> If you're wanting to run the same command on various machines, then I
> suggest you look at dsh, or pconsole (which an associate has previously
> recommended, and is suitable for interactive processes).

What your are looking to do is configure ssh with a set of
~/.ssh/authorized_keys2 to allow a no password secure login. And
amazingly
now that you are in a remote shell you can run what ever it is that
you are calling configuration utilities.

Jitesh K Patil, Systems Engineer, Wipro Technologies. <jitesh.kpatil@wipro.com> shaped electrons to say:
> Hi All,
>
> I am a newbie to shell scripting.
>
> I would like to have a script
> - which logs in remotely to a server(could be using telnet).
> - It should not ask for a username/password to the user.
> - It should execute the sever configuration utilities on the remote
> server.
>
> I have a RH Advanced Server,Advanced Workstation(2.1/3.0) and SuSE EL
> 3.0 Servers.

Sounds like a combination job for ssh using the authorized_keys for
login services, and sudo with command grouping for the "configuration
utilities" that you want to use.

This will be much more secure and flexible than trying to use telnet
(which is rather insecure) and a login script.

Method:

1) Install/enable sshd
2) use ssh-keygen to generate dsa type keypairs and transfer the public
keys to the server (place in ~/.ssh/authorized_keys for the user)
3) use ssh to login w/o passwords to the servers

4) set up a command group in /etc/sudoers (use visudo and read the
sudoers man page for guidance)

5) have the user use sudo <command> to run the utility programs

Details and implementation left as an excercise for the OP.

--
Gregory G. "Wolfe" Woodbury `-_-' Owner/Admin: wolves.durham.nc.us
ggw at wolves.durham.nc.us U RHCT August 2003
"The Line Eater is a boojum snark." Hug your wolf.

Thanks Cameron, Chris,

- I would need root access to run these utilities.
- Since I am totally new to this could U guys please just give some
more details about the ssh, dsh shells and how I can use them? I am
currenttly running the bash shell.

Thanks,
Jitesh



fersher@hotmail.com (Chris) wrote in message news:<1717582c.0401151307.5ec7f9cd@posting.google. com>...
> Cameron Kerr <cameron.kerr@paradise.net.nz> wrote in message news:<40066675@news.orcon.net.nz>...
> > Jitesh K Patil, Systems Engineer, Wipro Technologies. <jitesh.kpatil@wipro.com> wrote:
> >
> > > I would like to have a script
> > > - which logs in remotely to a server(could be using telnet).
> ^^^^^^^^^^^^^^^^^^^
> You could be crazy.
>
>
> > > - It should not ask for a username/password to the user.
> >
> > You really want to be using ssh with keys (and ssh-agent). BTW, are you
> > needing root access?
> >
> > > - It should execute the sever configuration utilities on the remote
> > > server.
> >
> > Huh? All of them, some of them? Specified by user or what?
> >
> > If you're wanting to run the same command on various machines, then I
> > suggest you look at dsh, or pconsole (which an associate has previously
> > recommended, and is suitable for interactive processes).
>
> What your are looking to do is configure ssh with a set of
> ~/.ssh/authorized_keys2 to allow a no password secure login. And
> amazingly
> now that you are in a remote shell you can run what ever it is that
> you are calling configuration utilities.

Jitesh K Patil, Systems Engineer, Wipro Technologies. <jitesh.kpatil@wipro.com> wrote:
> Thanks Cameron, Chris,
>
> - I would need root access to run these utilities.
> - Since I am totally new to this could U guys please just give some
> more details about the ssh, dsh shells and how I can use them? I am
> currenttly running the bash shell.

ssh is not a shell, it a secure version of rsh (with extra features too
that are really neat).

dsh is not really a shell either, but a program that runs a command on
multiple hosts.

For more information, you could have a look at the following lab which I
wrote for my students some time ago.

http://www.telecom.otago.ac.nz/tele3...cure_Shell.pdf

That should give you plenty of info on using ssh (with its more advanced
features)

For dsh, just read the man page.

Here's an example though. I have a lab full of machines which I need to
log into periodically to resync them to a newer version of the machine
image (using System Imager, which is very cool, btw). The command I need
to run on each machine would be the following

myupdateclient

(It's a script because it has some options in it and its consistent this
way) Without dsh, I would need to do something like the following

for host in rata pine birch #There are actually 12 or so.
do
ssh root@$host myupdateclient
done

This means that the root account on the workstations would need to have
my public key in its ~root/.ssh/authorised_keys2 (I usually get the
spelling wrong, check sshd(8)). You should put some restrictions on what
that key can do, since you're dealing with the root account, but I don't
generally bother (I don't do this on servers, just the workstations. You
should make up your own mind)

Alternatively, you could log in as yourself and use sudo. This means you
need to set up sudo and allow it to use the command myupdateclient

ssh $host sudo myupdateclient

To do this in dsh however, just put the hosts (and, if required include
the account name as well) into a file ~/.dsh/groups/rootclones. It would
look like this.

root@rata
root@birch
root@pine

Change dsh defaults so it uses ssh instead of rsh

$ cat .dsh/dsh.conf

#default configuration file for dsh.

verbose = 0

remoteshell = ssh
showmachinenames = 1
waitshell = 1

#remoteshellopt=...

# default config file end.

Now, make sure you can log into each host without being asked for
interaction (such as a password, or saying yes to "Are you sure you want
this key to your knownkeys". You will need to have setup the ssh-agent
(which may be running in the background of your session already)

ssh root@pine #logout when you've logged in.
ssh root@birch
ssh root@rata

Now you should be able to use dsh

dsh -g rootclones -- myupdateclient

If I wanted them to run concurrently, I would use -c

dsh -c -g rootclones -- myupdateclient

But in my case I don't, the load seems to bork the hub (thankfully, a
replacement switch has arrived for me to install.)

Hope this gets you on your way to success.
--
Cameron Kerr
cameron.kerr@paradise.net.nz : http://nzgeeks.org/cameron/
Empowered by Perl!

G. Wolfe Woodbury wrote:
>
> Sounds like a combination job for ssh using the authorized_keys for
> login services, and sudo with command grouping for the "configuration
> utilities" that you want to use.
>

I'm about to do something very similar and I've got a few questions about
this.
We use authorized_keys2 for our standard ssh login but we require a pass
phrase and root is not allowed to ssh in.

The files I need to distribute across the machines are owned by root.

What is the best solution to this?
Create a dedicated user that has write permissions of the specific files
that need to be synced, add the user, generate a key and distribute across
the synced machines?

Is using ssh-agent an option for this? (if the dedicated user requires a
pass phrase) Wouldn't the pass phrase have to be stored in plain text
somewhere? (totally negating the use of a pass phrase). I'm thinking that
this command "may" be run interactively, so in that case the pass phrase
could be stuffed in then. However, if it gets cron'd I dunno if this would
be best.

Or should I not use a pass phrase and try to harden the dedicated user?
What measures need to be taken?

One thing I'm thinking is to somehow setup a chroot jail for the dedicated
user so that it only has access to the directory with the config files that
need updating. However, I've never done this before and have no idea how to
do it (with a ssh session and all or sftp?, I don't think setting the HOME
for the user to the config file directory would be good enough). Is this a
good idea?

As if you couldn't tell, security is my main issue here ;)

Jeremy

Million Thanks To You All,
I was able to login without password or passphrase.
The documnets helped too.

Thanks again,
Jitesh