Very Computer

by **sherw..** » Thu, 24 Dec 1998 04:00:00

I have written the following bit of fluff to make my life maintaining
a bunch of unix boxes easier.

Philosophy: In a mixed open environment, being sure of all your computers
is difficult. However some degree of compromise is needed between
absolute security and getting the job done.

S[sh|cp]Batch is run from a machine that has no normal users, and runs
no services to external machines.

Ssh is configured on client machines with authorized_keys allowing
passwordless root logins from the trusted administrator machine.

ScpBatch

The idea is that this can be used as either a mechanism to push files
across the net to a remote machine, much like rdist, but done manually;
Or to pull files from hosts to a central repository.

E.g.

ScpBatch sgigroup HOST:/etc/passwd /sgiroot/etc/passwd.HOST

If sgigroup has the hosts foo, bar, and baz in it,
then the Batch script runs
scp foo:/etc/passwd /sgiroot/etc/passwd.foo
scp bar:/etc/passwd /sgiroot/etc/passwd.bar
...

At /sgiroot, a script could compare passwd.foo.standard with passwd.foo,
and notify the admin of changes. Many diagnostic/check programs can run
this way.

SshBatch works similarly with ssh for a group of machines.

Advantages:
This is a mechanism that doesn't depend on the client. No amount
of snooping on the client box tells the snooper what tracks he has
to cover.

It's a good tool to help tame a bunch of independent machines, and
get some common policies in place.

Disadvantages:
It's incomplete.

The entire network is only as secure as the administration box.

Critiques:
Both the concept and the script are open. Point out where it's screwy.

Please email as well as post.

#!/opt/perl5/bin/perl

#This script is designed to run with two links,
#SshBatch runs a command on a bunch of hosts.
#ScpBatch copies files to or from a bunch of hosts.

#parse /etc/netgroup
#This block defines an array of hosts for each netgroup.
#Eg the entry in the netgroup linuxhost (foo,,) (bar,,) (rats,,)

#Alternately,
#open (NET "/path/to/ypcat -k netgroup |";

open (NET, "/etc/netgroup") || die ("Can't open netgroup");
while (<NET>) {
if ($_ =~ /^#.*/) {
next;
#strip out comment lines }
if ($_ =~ /^\s*$/) {
next;
#strip out whitespace linesi
}
tr/[,]/ /; # names are in (name,,)

$varname = $list[0];

#that has the elements of that group.
} #end while NET

if ($0 =~ /.*\/SshBatch$/) {

$command = "ssh";
}

if ($0 =~ /.*\/ScpBatch$/) {

$commandtemplate = "$source $dest";
$command = "scp";
}

if ($#ARGV < 0) {
print "USAGE: SshBatch [ [host | netgroup] ...] \"command line\"\n";
print "USAGE: ScpBatch [ [host | netgroup] ...] \"source\" \"destination\" \n";
print " Either source or destination must have the token \n";
print " HOST, which will be replace from the hostlist.\n";
exit (1);
}

open (LOG,">>/var/adm/SshBatch.log");
$date = `date`;

print(LOG "$date => [$command $commandtemplate ] $hostcommandline \n");

}else{

} #endif defined host
} #end foreach host

use Socket;
$connect_time = 1;
$protocol_id = getprotobyname("tcp");
$port = 22; #Ssh
$SIG{"ALRM"} = sub { close (SOCKET); };

print "=============================================================\n";
$commandline = $commandtemplate;
$commandline =~ s/HOST/$host/g;
$commandline =~ s/DATE/$date/g;
#In some cases we need to run host specific programs.
alarm $connect_time;
socket(SOCKET, PF_INET, SOCK_STREAM, $protocol_id);
$iaddr = inet_aton($host);
$paddr = sockaddr_in($port, $iaddr);
if (connect(SOCKET, $paddr)) {
close(SOCKET);
if ($command eq "ssh" ) {
print ("ssh $host $commandline \n");
system ("ssh $host \"$commandline\" ");
print (LOG "$date => ssh $host status $? \n");

}
if ($command eq "scp" ) {
print ("scp $commandline \n");
system ("scp $commandline \n");
print (LOG "$date => scp $host status $? \n");

}
}else{
print "$host not accepting ssh connections.\n";
print (LOG "$date => $command $host failed \n");

}
} #end foreach.

close(LOG);

if ($#failed >= 0 )print "$commandtemplate failed for \n $failed\n";

Very Computer

SshBatch -- critique wanted

SshBatch -- critique wanted