SshBatch -- critique wanted

SshBatch -- critique wanted

Post by sherw.. » Thu, 24 Dec 1998 04:00:00

I have written the following bit of fluff to make my life maintaining
a bunch of unix boxes easier.

Philosophy: In a mixed open environment, being sure of all your computers
is difficult.  However some degree of compromise is needed between
absolute security and getting the job done.

S[sh|cp]Batch is run from a machine that has no normal users, and runs
no services to external machines.

Ssh is configured on client machines with authorized_keys allowing
passwordless root logins from the trusted administrator machine.


The idea is that this can be used as either a mechanism to push files
across the net to a remote machine, much like rdist, but done manually;
Or to pull files from hosts to a central repository.


ScpBatch sgigroup HOST:/etc/passwd /sgiroot/etc/passwd.HOST

If sgigroup has the hosts foo, bar, and baz in it,
then the Batch script runs
scp foo:/etc/passwd /sgiroot/etc/
scp bar:/etc/passwd /sgiroot/etc/

At /sgiroot, a script could compare with,
and notify the admin of changes.  Many diagnostic/check programs can run
this way.

SshBatch works similarly with ssh for a group of machines.

        This is a mechanism that doesn't depend on the client.  No amount
        of snooping on the client box tells the snooper what tracks he has
        to cover.

        It's a good tool to help tame a bunch of independent machines, and
        get some common policies in place.

        It's incomplete.

        The entire network is only as secure as the administration box.

        Both the concept and the script are open. Point out where it's screwy.

        Please email as well as post.


#This script is designed to run with two links,
#SshBatch runs a command on a bunch of hosts.
#ScpBatch copies files to or from  a bunch of hosts.

#parse /etc/netgroup
#This block defines an array of hosts for each netgroup.
#Eg the entry in the netgroup linuxhost (foo,,) (bar,,) (rats,,)

#open (NET "/path/to/ypcat -k netgroup |";

open (NET, "/etc/netgroup") || die ("Can't open netgroup");
while (<NET>) {
        if  ($_ =~ /^#.*/) {
                #strip out comment lines }  
        if  ($_ =~ /^\s*$/)  {
                #strip out whitespace linesi
        tr/[\(\),]/ /;                  # names are in (name,,)

        $varname = $list[0];

        #that has the elements of that group.
        } #end while NET

if ($0 =~ /.*\/SshBatch$/) {

        $command = "ssh";

if ($0 =~ /.*\/ScpBatch$/) {

        $commandtemplate = "$source $dest";
        $command = "scp";

if ($#ARGV < 0) {
        print "USAGE: SshBatch  [ [host | netgroup] ...] \"command line\"\n";
        print "USAGE: ScpBatch [ [host | netgroup] ...] \"source\" \"destination\" \n";
        print "       Either source or destination must have the token \n";
        print "       HOST, which will be replace from the hostlist.\n";
        exit (1);

open (LOG,">>/var/adm/SshBatch.log");
$date = `date`;

print(LOG "$date => [$command $commandtemplate ] $hostcommandline \n");


                } #endif defined host
        } #end foreach host

use Socket;
$connect_time   = 1;
$protocol_id    = getprotobyname("tcp");
$port           = 22;                                   #Ssh
$SIG{"ALRM"} = sub { close (SOCKET); };

        print "=============================================================\n";
        $commandline = $commandtemplate;
        $commandline =~ s/HOST/$host/g;
        $commandline =~ s/DATE/$date/g;
        #In some cases we need to run host specific programs.
        alarm $connect_time;
        socket(SOCKET, PF_INET, SOCK_STREAM, $protocol_id);
        $iaddr  = inet_aton($host);
        $paddr  = sockaddr_in($port, $iaddr);
        if (connect(SOCKET, $paddr)) {
                if ($command eq "ssh" ) {    
                        print ("ssh $host $commandline \n");
                        system ("ssh $host \"$commandline\" ");
                        print (LOG "$date => ssh $host status $?  \n");

                if ($command eq "scp" ) {
                        print ("scp  $commandline \n");
                        system ("scp $commandline \n");
                        print (LOG "$date => scp $host status $? \n");

                print "$host not accepting ssh connections.\n";
                print (LOG "$date => $command $host failed \n");

        } #end foreach.


if ($#failed >= 0 )print "$commandtemplate failed for \n $failed\n";


Sorcerers Apprentice    | Office CAB 642B
System Administrator    | Tel: 403 492 5728
Trouble shooter         | Fax: 403 492 6826

Sorcerers Apprentice    | Office CAB 642B
System Administrator    | Tel: 403 492 5728
Trouble shooter         | Fax: 403 492 6826