SSH Cookbook v2

A SSH tools suite presentation

Enhanced version

Created by Jean-Marie Renouard / @jmrenouard
http://www.jmrenouard.fr/

What's SSH ?

SSH is a secure TCP communication protocol.
SSH v2 is base standard in all distributions.
SSH allows you to connect securely to server.
SSH avoid attack such man in the middle.

SSH basic usage

Connect to server REF01.mynetwork as osuser

$ ssh [email protected]

What's next ?

Password is asked.

[email protected]'s password :

Password is checked based on system.
Input password is crypted.
Result is compared with /etc/shadow information.

Comparaison failed : command fails, simple !

And when it is OK ...

Comparaison successed
SSH asks system for a new shell session.
Shell session is based on /etc/passwd info.
7th and last field of /etc/passwd is shell path.
Default Welcome Message

Last login: Thu Mar 20 23:26:46 2014 from 192.168.X.X

Then, You've got a shell ( Bash for instance )
A shell as a local shell remotely / securely !

Shell is great

Ctrl-d : Kill the connection immediately.
Ctrl-l : Clean your screen
Ctrl-r : Search in bash history on the server
Readline powered
.bash_history : command history
.bash_profile and .bashrc for personal shell customisation (alias, functions, ...)

Boring aspect of SSH

One connection means one password check.

Password typing
No human error probe

Ctrl-d, exit, kill -9 0, killall bash, ...
Kill/terminate Shell session means :

All processes launched from Shell session are also killed.
You JUST have to REconnect and REtype your password.
REtype your command even if it's long time taking.

Avoiding password typing

Thanks God, it is possible to connect without passord typing.
It is as secure as password typing.
Maybe more secure:

No password Excel File on network
No Agile Access info Post-it on ScrumBoard :)

SSH Key Generation

2 files MUST be generated

Red key : .ssh/id_rsa is your Private SSH key

Keep it secret

Blue key: .ssh/id_rsa.pub is your Public SSH key.

SSH Key Generation Command

Key Generation Command:

ssh-keygen -t rsa

Hey, it is asking me a F*** password !!!
Leave it empty :)

SSH Key deployment

Public Key Deployment Command:

ssh-copy-id -i .ssh/id_rsa.pub [email protected]

It is asking a password for a last time ....

And all is ok ?

On the server, .ssh/authorized_keys contains the content of your public key.
Try to connect one again.

ssh [email protected]

NO MORE PASSWORD ....
Magic Simple, Easy and secure ....

Is it all ?

How to automate this process ?

Library Expect :
- library interacting with shell programmaticaly.
- You can script an interactive scenario.
- And you can execute it automatically.

Better than a shell

You can also remotely execute a command.

Shutdown the server

ssh [email protected] shutdown -h now

Execute a remote python script

ssh [email protected] \
  "python remoteScript.py"

Know load average on REF01 server

ssh [email protected] uptime

Perl Expect

#!/usr/bin/perl
use strict;
use Expect;

my $timeout=1;
my $command="ssh ".$ARGV[0]." ".$ARGV[2];
my $exp = Expect->spawn($command) or die "Cannot spawn $command: $!\n";
$exp->raw_pty(1);
LOGIN:
$exp->expect($timeout,
        [ 'ogin: $' => sub {
                     $exp->send("luser\n");
                     exp_continue; }
        ],
    [ 'yes\/no\)\?\s*$' => sub {
              $exp->send("yes\n");
              goto LOGIN;
              }
    ],
        [ 'assword:\s*$' => sub {
                      $exp->send($ARGV[1]."\n");
                      exp_continue; }
        ],
        '-re', qr'[#>:] $'
);
$exp->soft_close();

Remote execute a local script

Python, bash, php, ryby, java, all interpreters

Interpreter must be present on the remote server

Simple Python Script: hello.py

#!/usr/bin/python
print "Hello World !"

Remote execute script:ssh-exec

#!/bin/sh
INTERPRETER=$(head -n 1 $2 | sed -e 's/#!//')
cat $2 | grep -v "#" | ssh -t $1 $INTERPRETER

Usage

ssh-exec [email protected] hello.py

File transfert over SSH

Using the input/output redirection.

cat myLocalFile | \
 ssh [email protected] \
 "cat > myRemoteFile"

Compressing on fly.

cat myLocalFile | \
 gzip | \
 ssh [email protected] \
 "gzip > myRemoteFile"

Compression by SSH himself.

cat myLocalFile |\
  ssh -C [email protected] \
  "cat > myRemoteFile"

Directories over SSH

Commands using input/output for directory
tar UNIX archiver command works with stdin and stdout

tar -czf – myDir | \ 
 ssh -C [email protected] \ 
 "mkdir myDir;cd myDir ;tar -xzf -"

Better solution

A kind of cp based on SSHv2 protocol

scp -rp mydir [email protected]:myDir

Best solution
- Incremental copy

rsync -avz myDir [email protected]:myDir

Multiple host commands

Simple Shell loop on 3 servers

for host in server1 server2 server3; do
 		echo "* Updating $host"
 		ssh -C root@${host}.mynetwork "yum -y update"
done

Simple Shell loop on server1 to server100

for i in `seq 1 100`; do
 		host=server${i}.mynetwork
 		echo "*Updating $host"
 		ssh -C root@${host} "yum -y update"
done

Multiple host commands in parallel

Forking Subshells in loop on server1 to server100

for i in `seq 1 100`; do
 		(
 		host=server${i}.mynetwork
 		echo "*Updating $host"
 		ssh -C root@${host} "yum -y update" 2>&1 >> ${host}.update.log
 		echo "* Updating $host ..DONE"
 		)&
done

Output and Errors are stored in individual log file per host

Multiple host commands in parallel

Forking Subshells in loop from a file

while read host; do
	(
	echo "*Updating $host"
	ssh -C root@${host} "yum -y update" 2>&1 >> ${host}.update.log
	echo "* Updating $host ..DONE"
	)&
done < "${1:-/proc/${$}/fd/0}"

Server are reading from a file or from stdin
A file with one server name by line
Output and Errors are stored in individual log file per host

Port Forwarding

Open a local port and redirect it throught SSH

ssh -L2000:localhost:80 user@host1

Open a local port 2000 and redirect I/O to server port 80 on host1

ssh -L8080:host2:80 user@host1

Open a local port 8080 and redirect I/O to server port 80 on host2
Using SSH to host1 to access host2 server

Reverse Port Forwarding

Open a remote port on server and redirect it throught SSH to client

ssh -R 2000:localhost:80 user@host1

Open a port 2000 on host1
Redirect I/O ond this port to local port80

ssh -R 8080:host2:80 user@host1

Open a remote port 8080 on host1
Redirect I/O to server host2 on port 80 from ssh client host
Using SSH to host1 to access host2 server

Useful scripts

ssh-installkeys, ssh key installer
ssh-copy-id, included in openssh-clients in all distributions
Fusefs, Filesystem over SSH

MUSSH, Multihost SSH

perl-Net-SSH-Expect, automate connection without ssh keys
scanssh, scan hosts with SSH
sshpass, password cracker for SSH

Projects for massive remote execution

DO It in Ruby

Projects for SSH management

GateOne, Web SSH client

Storm in Python, manage your SSH identities

SSHRC, transport your config everywhere

git deliver, deliver files from git and SSH

SShuttle, the poor's man VPN Solution

SSH Cookbook v2

A SSH tools suite presentation

Enhanced version

What's SSH ?

SSH basic usage

What's next ?

And when it is OK ...

Shell is great

Boring aspect of SSH

One connection means one password check.

Avoiding password typing

SSH Key Generation

2 files MUST be generated

SSH Key Generation Command

SSH Key deployment

And all is ok ?

Is it all ?

Better than a shell

You can also remotely execute a command.

Perl Expect

Remote execute a local script

Python, bash, php, ryby, java, all interpreters

File transfert over SSH

Directories over SSH

Multiple host commands

Simple Shell loop on 3 servers

Simple Shell loop on server1 to server100

Multiple host commands in parallel

Forking Subshells in loop on server1 to server100

Multiple host commands in parallel

Forking Subshells in loop from a file

Port Forwarding

Open a local port and redirect it throught SSH

Reverse Port Forwarding

Open a remote port on server and redirect it throught SSH to client

Useful scripts

Projects for massive remote execution

Projects for SSH management

Stellar Links

THE END

BY Jean-Marie Renouard / jmrenouard.fr