Ssh cookbook

4 207 vues

Publié le

A simple presentation oof basic SSH usage possibility with full fonctionnal samples.

Publié dans : Technologie
0 commentaire
1 j’aime
  • Soyez le premier à commenter

Aucun téléchargement
Nombre de vues
4 207
Sur SlideShare
Issues des intégrations
3 011
Intégrations 0
Aucune incorporation

Aucune remarque pour cette diapositive

Ssh cookbook

  1. 1. SSH COOKBOOK V2 A SSH TOOLS SUITE PRESENTATION ENHANCED VERSION Created by Jean-Marie Renouard / @jmrenouard
  2. 2. WHAT'S SSH ? SSH is a secure TCP communication protocol. SSH v2 is base standard in all distributions. SSH allows you to connect securely to server. SSH avoid attack such man in the middle.
  3. 3. SSH BASIC USAGE Connect to server REF01.mynetwork as osuser $ ssh osuser@REF01.mynetwork
  4. 4. WHAT'S NEXT ? Password is asked. osuser@REF01.mynetwork's password : Password is checked based on system. Input password is crypted. Result is compared with /etc/shadow information. Comparaison failed : command fails, simple !
  5. 5. AND WHEN IT IS OK ... Comparaison successed SSH asks system for a new shell session. Shell session is based on /etc/passwd info. 7th and last field of /etc/passwd is shell path. Default Welcome Message Last login: Thu Mar 20 23:26:46 2014 from 192.168.X.X Then, You've got a shell ( Bash for instance ) A shell as a local shell remotely / securely !
  6. 6. SHELL IS GREAT Ctrl-d : Kill the connection immediately. Ctrl-l : Clean your screen Ctrl-r : Search in bash history on the server Readline powered .bash_history : command history .bash_profile and .bashrc for personal shell customisation (alias, functions, ...)
  7. 7. BORING ASPECT OF SSH ONE CONNECTION MEANS ONE PASSWORD CHECK. Password typing No human error probe Ctrl-d, exit, kill -9 0, killall bash, ... Kill/terminate Shell session means : All processes launched from Shell session are also killed. You JUST have to REconnect and REtype your password. REtype your command even if it's long time taking.
  8. 8. AVOIDING PASSWORD TYPING Thanks God, it is possible to connect without passord typing. It is as secure as password typing. Maybe more secure: No password Excel File on network No Agile Access info Post-it on ScrumBoard :)
  9. 9. SSH KEY GENERATION 2 FILES MUST BE GENERATED 1. Red key : .ssh/id_rsa is your Private SSH key Keep it secret 2. Blue key: .ssh/ is your Public SSH key.
  10. 10. SSH KEY GENERATION COMMAND Key Generation Command: ssh-keygen -t rsa Hey, it is asking me a F*** password !!! Leave it empty :)
  11. 11. SSH KEY DEPLOYMENT Public Key Deployment Command: ssh-copy-id -i .ssh/ ossuer@REF01.mynnetwork It is asking a password for a last time ....
  12. 12. AND ALL IS OK ? On the server, .ssh/authorized_keys contains the content of your public key. Try to connect one again. ssh osuser@REF01.mynetwork NO MORE PASSWORD .... Magic Simple, Easy and secure ....
  13. 13. IS IT ALL ? How to automate this process ? Library Expect : library interacting with shell programmaticaly. You can script an interactive scenario. And you can execute it automatically.
  14. 14. BETTER THAN A SHELL YOU CAN ALSO REMOTELY EXECUTE A COMMAND. Shutdown the server ssh root@REF01.mynetwork shutdown -h now Execute a remote python script ssh osuser@REF01.mynetwork "python" Know load average on REF01 server ssh osuser@REF01.mynetwork uptime
  15. 15. PERL EXPECT #!/usr/bin/perl use strict; use Expect; my $timeout=1; my $command="ssh ".$ARGV[0]." ".$ARGV[2]; my $exp = Expect->spawn($command) or die "Cannot spawn $command: $!n"; $exp->raw_pty(1); LOGIN: $exp->expect($timeout, [ 'ogin: $' => sub { $exp->send("lusern"); exp_continue; } ], [ 'yes/no)?s*$' => sub { $exp->send("yesn"); goto LOGIN; } ], [ 'assword:s*$' => sub { $exp->send($ARGV[1]."n"); exp_continue; } ], '-re', qr'[#>:] $' ); $exp->soft_close();
  16. 16. REMOTE EXECUTE A LOCAL SCRIPT PYTHON, BASH, PHP, RYBY, JAVA, ALL INTERPRETERS Interpreter must be present on the remote server Simple Python Script: #!/usr/bin/python print "Hello World !" Remote execute script:ssh-exec #!/bin/sh INTERPRETER=$(head -n 1 $2 | sed -e 's/#!//') cat $2 | grep -v "#" | ssh -t $1 $INTERPRETER Usage ssh-exec osuser@REF01.mynetwork
  17. 17. FILE TRANSFERT OVER SSH Using the input/output redirection. cat myLocalFile | ssh osuser@REF01.mynetwork "cat > myRemoteFile" Compressing on fly. cat myLocalFile | gzip | ssh osuser@REF01.mynetwork "gzip > myRemoteFile" Compression by SSH himself. cat myLocalFile | ssh -C osuser@REF01.mynetwork "cat > myRemoteFile"
  18. 18. DIRECTORIES OVER SSH Commands using input/output for directory tar UNIX archiver command works with stdin and stdout tar -czf – myDir | ssh -C osuser@ref01.mynetwork "mkdir myDir;cd myDir ;tar -xzf -" Better solution A kind of cp based on SSHv2 protocol scp -rp mydir osuser@ref01.mynetwork:myDir Best solution Incremental copy rsync -avz myDir osuser@ref01.mynetwork:myDir
  19. 19. MULTIPLE HOST COMMANDS SIMPLE SHELL LOOP ON 3 SERVERS for host in server1 server2 server3; do echo "* Updating $host" ssh -C root@${host}.mynetwork "yum -y update" done SIMPLE SHELL LOOP ON SERVER1 TO SERVER100 for i in `seq 1 100`; do host=server${i}.mynetwork echo "*Updating $host" ssh -C root@${host} "yum -y update" done
  20. 20. MULTIPLE HOST COMMANDS IN PARALLEL FORKING SUBSHELLS IN LOOP ON SERVER1 TO SERVER100 for i in `seq 1 100`; do ( host=server${i}.mynetwork echo "*Updating $host" ssh -C root@${host} "yum -y update" 2>&1 >> ${host}.update.log echo "* Updating $host ..DONE" )& done Output and Errors are stored in individual log file per host
  21. 21. MULTIPLE HOST COMMANDS IN PARALLEL FORKING SUBSHELLS IN LOOP FROM A FILE while read host; do ( echo "*Updating $host" ssh -C root@${host} "yum -y update" 2>&1 >> ${host}.update.log echo "* Updating $host ..DONE" )& done < "${1:-/proc/${$}/fd/0}" Server are reading from a file or from stdin A file with one server name by line Output and Errors are stored in individual log file per host
  22. 22. PORT FORWARDING OPEN A LOCAL PORT AND REDIRECT IT THROUGHT SSH ssh -L2000:localhost:80 user@host1 Open a local port 2000 and redirect I/O to server port 80 on host1 ssh -L8080:host2:80 user@host1 Open a local port 8080 and redirect I/O to server port 80 on host2 Using SSH to host1 to access host2 server
  23. 23. REVERSE PORT FORWARDING OPEN A REMOTE PORT ON SERVER AND REDIRECT IT THROUGHT SSH TO CLIENT ssh -R 2000:localhost:80 user@host1 Open a port 2000 on host1 Redirect I/O ond this port to local port80 ssh -R 8080:host2:80 user@host1 Open a remote port 8080 on host1 Redirect I/O to server host2 on port 80 from ssh client host Using SSH to host1 to access host2 server
  24. 24. USEFUL SCRIPTS ssh-installkeys, ssh key installer ssh-copy-id, included in openssh-clients in all distributions Fusefs, Filesystem over SSH MUSSH, Multihost SSH perl-Net-SSH-Expect, automate connection without ssh keys scanssh, scan hosts with SSH sshpass, password cracker for SSH
  25. 25. PROJECTS FOR MASSIVE REMOTE EXECUTION Ansible in Python Chef in Ruby Rex in Perl Rundeck in Java Envoy in PHP Shunt in PHP SSHKit DO It in Ruby
  26. 26. PROJECTS FOR SSH MANAGEMENT GateOne, Web SSH client Storm in Python, manage your SSH identities SSHRC, transport your config everywhere git deliver, deliver files from git and SSH SShuttle, the poor's man VPN Solution
  27. 27. STELLAR LINKS Code samples in Bash and Perl Follow me on Twitter