[mdlug] Remote SSH commands
Michael ORourke
mrorourke at earthlink.net
Mon Jan 17 23:19:15 EST 2011
There were some good suggestions on this topic, thanks for all the replies!
I think I found a decent solution leveraging my existing security framework.
Using our existing LDAP server, I added an unprivilaged account. "lutil"
for example, which will be used to run remote commands as root. Since
lutil's home dir is auto-mounted across all the boxes, all I have to do is
create 1 key-pair and add the id_rsa.pub into the authorized_keys file.
Then I add commands/scripts to the SUDOers OU that the "lutil" user can
execute. Now from a centralized management server, I can sudo into the
lutil user account and fire off scripts on all the servers as root.
Example:
for RemoteHost in web01 web02 web03
do
/usr/bin/ssh -n $RemoteHost "/usr/bin/sudo /sbin/service httpd status"
done
Then all I have to do is manage the sudoers permissions from LDAP as needed.
So far my initial testing looks good.
-Mike
----- Original Message -----
From: "Mark Stanislav" <mark.stanislav at gmail.com>
To: "MDLUG's Main discussion list" <mdlug at mdlug.org>
Sent: Wednesday, January 12, 2011 9:08 AM
Subject: Re: [mdlug] Remote SSH commands
> If you (or anyone else) is looking for a more elegant way to administrate
> systems through a structured framework with a publisher/subscriber model,
> take a look at Marionette-Collective (mCollective)
> http://www.puppetlabs.com/mcollective/introduction/
>
> -Mark
>
> On Jan 12, 2011, at 9:02 AM, Ingles, Raymond wrote:
>
>> For running a fixed set of commands, you might consider the program I
>> wrote, "Ostiary". It is designed to securely run only a specific set of
>> commands, and can be configured to run them as any particular user. (On
>> my machines, one of those commands is 'enable ssh login', of course.)
>>
>> The gory details here: http://ingles.homeunix.net/software/ost/
>>
>> Sincerely,
>>
>> Ray Ingles (313) 227-2317
>>
>> "Lately I've been getting the impression that overzealous censorship
>> [...] is an adult manifestation of fear of cooties." - anonymous
>>
>>>
>> The contents of this e-mail are intended for the named addressee only. It
>> contains information that may be confidential. Unless you are the named
>> addressee or an authorized designee, you may not copy or use it, or
>> disclose it to anyone else. If you received it in error please notify us
>> immediately and then destroy it.
>>
>>> From: mdlug-bounces at mdlug.org [mailto:mdlug-bounces at mdlug.org] On
>> Behalf Of
>>> Michael ORourke
>>> Sent: Tuesday, January 11, 2011 11:53 PM
>>> To: MDLUG's main mailing list
>>> Subject: [mdlug] Remote SSH commands
>>>
>>> Lug Nuts,
>>>
>>> Anyone out there using the "forced-commands-only" option under
>> OpenSSH?
>>>
>>> From what I have read, it sounds like it's a pain to administer
>> because it
>>> is based on key-pairs. I'm just curious if other admins are using
>> that
>>> option and restricting remote root logins. It's extremely handy to
>> run
>>> commands from a central server as root, but breaks if you set
>>> "PermitRootLogin no" in the sshd_config.
>>>
>>> -Mike
>>>
>>>
>>> _______________________________________________
>>> mdlug mailing list
>>> mdlug at mdlug.org
>>> http://mdlug.org/mailman/listinfo/mdlug
>>
>>
>> _______________________________________________
>> mdlug mailing list
>> mdlug at mdlug.org
>> http://mdlug.org/mailman/listinfo/mdlug
>
> _______________________________________________
> mdlug mailing list
> mdlug at mdlug.org
> http://mdlug.org/mailman/listinfo/mdlug
--------------------------------------------------------------------------------
No virus found in this incoming message.
Checked by AVG - www.avg.com
Version: 9.0.872 / Virus Database: 271.1.1/3375 - Release Date: 01/12/11
02:38:00
More information about the mdlug
mailing list