Very Computer

I would like to come up with a way to run the same command
over set of machines.  This way I can make the same change
to many machines without having to log into each one (we
have about 20 now, and will soon have many more).  Generally,
I am wanting to change setup files in the root partition.

The logical thing would be to write a script which uses "rsh".
However, permissions are not set up right to do this yet.
Since many of these operations would require root priviledges,
I would have to change root's .rhost files to let in root from
any machine.  This sounds like too high a security risk to me.

Any ideas, suggestions, or comments on this would be appreciated.
Thanks,
Dan

Dan, you might consider using 'ssh' to do this.  Check out:

        ftp://ftp.cs.hut.fi/pub/ssh

Ssh (Secure shell) replaces and improves on rsh in many ways.
If you consider security important and still want to do remote
administration ssh is your tool.

--
Quentin Fennessy                        AMD, Austin Texas

--

Unix Specialist, Network Team               | THROW OVER my promising ACTING
Interprovincial Pipe Line Inc.              | CAREER, grow a LONG BLACK BEARD
Edmonton, Alberta, Canada                   | and wear a BASEBALL HAT!! ...
                                            | Although I don't know WHY!!

: I would like to come up with a way to run the same command
: over set of machines.  This way I can make the same change
: to many machines without having to log into each one (we
: have about 20 now, and will soon have many more).  Generally,
: I am wanting to change setup files in the root partition.

: The logical thing would be to write a script which uses "rsh".
: However, permissions are not set up right to do this yet.
: Since many of these operations would require root priviledges,
: I would have to change root's .rhost files to let in root from
: any machine.  This sounds like too high a security risk to me.

: Any ideas, suggestions, or comments on this would be appreciated.
: Thanks,
: Dan

you're already familiar with rsh, and others have mentioned ssh and
expect... so I'll just mention rexec, which allows you to execute
a command remotely if you know the username and password.  depending
on which system you're using, you may have to install a client and/or
server yourself.  it would, of course, require having your root passwd
in plaintext *somewhere*, if only in memory.

best of luck,
andru

If you simply need to replace files on the clients, I'd use
rdist.  That requires /.rhosts to be set up as above.

Don't use expect scripts to pass your root passwd to the clients.
You should never have your root passwd on the system in cleartext,
regardless of the permissions of the file it is in.

If you are really paranoid, you can use ssh.  There are patches to
the usc rdist that allow it to utilize the ssh authentication methods.

Shawn

--

"This job would be great if it weren't for the [l]users."
GCM/CS d-(+) s:- a- C+++$ UBLS++++$ P++++$ L++++ E++ W-- N+++ o-- K w--- O-
M-- V- PS+++ PE++ Y+ PGP++ t+ 5-- X+ R- tv+ b++ DI++ D G e h---- r+++ y++++

: I would like to come up with a way to run the same command
: over set of machines.  This way I can make the same change
: to many machines without having to log into each one (we
: have about 20 now, and will soon have many more).  Generally,
: I am wanting to change setup files in the root partition.

: The logical thing would be to write a script which uses "rsh".
: However, permissions are not set up right to do this yet.
: Since many of these operations would require root priviledges,
: I would have to change root's .rhost files to let in root from
: any machine.  This sounds like too high a security risk to me.

: Any ideas, suggestions, or comments on this would be appreciated.
: Thanks,
: Dan

Lots of other good advice in other posts.  However, somewehre between
the 20 and 100 machine point it starts getting to the point that you
can't be certain that all the machines are up, and connected, and
all happy when you want to make the change.  A better way in my opinion
is to have machines 'pull' their changes, rather than have the central
admin node 'push' them.  Work it like this:

On central administration node, you have a directory /share/admin
In it are directories ./mods, ./host1 ./hostname2 ./...
When you generate a modification it goes in ./mods, and a link is made
in each hostname directory.  On each client machine, the directory that
matches it's name is mounted, so that root has rw access to that
directory only.  

Mods generally consist of a tar file, with a script and data files.
The script may be as simple as 'cp filename /etc'

A cron job periodically scans the directory, and if anything is there
copies it to a local disk, untars it and executes the script. If
successful, it deletes the original mod file  and puts a file named
mod.log in it's place. (Where mod is the base name of the tar file.)

Now the advantages of this is that when a machine is down, it's mods
still accumulate in it's directory. (We had an SGI taht was down for 6
weeks waiting for parts.) On boot up, it will bring itself up to date
the next time the cron job runs.

In addition, if you customize your machines this way, then when you
get a new box, all you have to do is create the appropraite links,
and set up the cron job, and it will configure itself to your standards.

Mod scripts are numbered sequentially so that they are read

--

Sherwood Botsford | "Go to father, she said, when I asked her to wed.
Physics Dept      | She knew that I knew that her father was dead.
U of Alberta      | She knew that I knew what a life he had led.
Edmonton, AB,     | She knew that I knew what she meant when she said,
T6G 2J1           | "Go to father."

If your sensible (not paranoid ;-)) you use ssh. It may be a bit
harder to setup, but it is safe to use.
---------------------------------------------------------------------
Frans Bosma                     | Telephone: +31 50 5851267

DISCLAIMER: This statement is not an official statement from,
nor does it represent an official position of, PTT Telecom B.V.
---------------------------------------------------------------------