SshBatch -- critique wanted

SshBatch -- critique wanted

Post by sherw.. » Thu, 24 Dec 1998 04:00:00



I have written the following bit of fluff to make my life maintaining
a bunch of unix boxes easier.

Philosophy: In a mixed open environment, being sure of all your computers
is difficult.  However some degree of compromise is needed between
absolute security and getting the job done.

S[sh|cp]Batch is run from a machine that has no normal users, and runs
no services to external machines.

Ssh is configured on client machines with authorized_keys allowing
passwordless root logins from the trusted administrator machine.

ScpBatch

The idea is that this can be used as either a mechanism to push files
across the net to a remote machine, much like rdist, but done manually;
Or to pull files from hosts to a central repository.

E.g.

ScpBatch sgigroup HOST:/etc/passwd /sgiroot/etc/passwd.HOST

If sgigroup has the hosts foo, bar, and baz in it,
then the Batch script runs
scp foo:/etc/passwd /sgiroot/etc/passwd.foo
scp bar:/etc/passwd /sgiroot/etc/passwd.bar
...

At /sgiroot, a script could compare passwd.foo.standard with passwd.foo,
and notify the admin of changes.  Many diagnostic/check programs can run
this way.

SshBatch works similarly with ssh for a group of machines.

Advantages:
        This is a mechanism that doesn't depend on the client.  No amount
        of snooping on the client box tells the snooper what tracks he has
        to cover.

        It's a good tool to help tame a bunch of independent machines, and
        get some common policies in place.

Disadvantages:
        It's incomplete.

        The entire network is only as secure as the administration box.

Critiques:
        Both the concept and the script are open. Point out where it's screwy.

        Please email as well as post.

#!/opt/perl5/bin/perl

#This script is designed to run with two links,
#SshBatch runs a command on a bunch of hosts.
#ScpBatch copies files to or from  a bunch of hosts.

#parse /etc/netgroup
#This block defines an array of hosts for each netgroup.
#Eg the entry in the netgroup linuxhost (foo,,) (bar,,) (rats,,)

#Alternately,
#open (NET "/path/to/ypcat -k netgroup |";

open (NET, "/etc/netgroup") || die ("Can't open netgroup");
while (<NET>) {
        if  ($_ =~ /^#.*/) {
                next;
                #strip out comment lines }  
        if  ($_ =~ /^\s*$/)  {
                next;
                #strip out whitespace linesi
                }
        tr/[\(\),]/ /;                  # names are in (name,,)

        $varname = $list[0];




        #that has the elements of that group.
        } #end while NET

if ($0 =~ /.*\/SshBatch$/) {

        $command = "ssh";
        }

if ($0 =~ /.*\/ScpBatch$/) {


        $commandtemplate = "$source $dest";
        $command = "scp";
        }

if ($#ARGV < 0) {
        print "USAGE: SshBatch  [ [host | netgroup] ...] \"command line\"\n";
        print "USAGE: ScpBatch [ [host | netgroup] ...] \"source\" \"destination\" \n";
        print "       Either source or destination must have the token \n";
        print "       HOST, which will be replace from the hostlist.\n";
        exit (1);
        }

open (LOG,">>/var/adm/SshBatch.log");
$date = `date`;


print(LOG "$date => [$command $commandtemplate ] $hostcommandline \n");




                }else{

                } #endif defined host
        } #end foreach host

use Socket;
$connect_time   = 1;
$protocol_id    = getprotobyname("tcp");
$port           = 22;                                   #Ssh
$SIG{"ALRM"} = sub { close (SOCKET); };


        print "=============================================================\n";
        $commandline = $commandtemplate;
        $commandline =~ s/HOST/$host/g;
        $commandline =~ s/DATE/$date/g;
        #In some cases we need to run host specific programs.
        alarm $connect_time;
        socket(SOCKET, PF_INET, SOCK_STREAM, $protocol_id);
        $iaddr  = inet_aton($host);
        $paddr  = sockaddr_in($port, $iaddr);
        if (connect(SOCKET, $paddr)) {
                close(SOCKET);
                if ($command eq "ssh" ) {    
                        print ("ssh $host $commandline \n");
                        system ("ssh $host \"$commandline\" ");
                        print (LOG "$date => ssh $host status $?  \n");

                        }
                if ($command eq "scp" ) {
                        print ("scp  $commandline \n");
                        system ("scp $commandline \n");
                        print (LOG "$date => scp $host status $? \n");

                        }
                }else{
                print "$host not accepting ssh connections.\n";
                print (LOG "$date => $command $host failed \n");

                }
        } #end foreach.

close(LOG);


if ($#failed >= 0 )print "$commandtemplate failed for \n $failed\n";

--

Sorcerers Apprentice    | Office CAB 642B
System Administrator    | Tel: 403 492 5728
Trouble shooter         | Fax: 403 492 6826
--

Sorcerers Apprentice    | Office CAB 642B
System Administrator    | Tel: 403 492 5728
Trouble shooter         | Fax: 403 492 6826