You can do much more using ssh and its other services, not only logging to remote system.
Following are few of the tips and example that I feel can help to move quick around.
In ubuntu: following are few of the ssh package that I can you might like to have:
ssh ssh-contact-service ssh-krb5
ssh-askpass sshfp sshm
ssh-askpass-fullscreen sshfs sshmenu
ssh-askpass-gnome sshfs-dbg sshpass
ssh-contact sshguard sshuttle
ssh-contact-client ssh-import-id
If you need to know some information about a package before installing then you can try the following command and from there you can check for Homepage to dig more information.
Command: apt-cache show <packageName>
Example:
apt-cache show ssh-askpass
Package: ssh-askpass
Priority: optional
Section: universe/net
Installed-Size: 160
Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
Original-Maintainer: Philip Hands <phil@hands.com>
Architecture: amd64
Version: 1:1.2.4.1-9
Depends: libc6 (>= 2.4), libice6 (>= 1:1.0.0), libsm6, libx11-6, libxt6
Filename: pool/universe/s/ssh-askpass/ssh-askpass_1.2.4.1-9_amd64.deb
Size: 34872
MD5sum: e827b5abcc25c19ae6fb0f3eefb5b719
SHA1: 6aa0c3512d9d3dfe361df552a3954a53ec79aad2
SHA256: d6d799ed0a9a1d585e780d4ec2d2c52849fc6ae1e73d02ac5f70e5d29e78201e
Description-en: under X, asks user for a passphrase for ssh-add
This is Jim Knoble's free implementation of the ssh-askpass program.
.
Jim calls this x11-ssh-askpass, but I've decided to call it ssh-askpass to
make it easier to find, because this is almost certainly the version you
want. Other ssh-askpass programs are available, some of which may integrate
better into various desktop environments.
Homepage: http://www.jmknoble.net/software/x11-ssh-askpass/
Description-md5: 5b9411f94446cbb46230c152b2591705
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Origin: Ubuntu
A command where you can pass the password parameter and then you can login to the remote server:
pkg needed: sshpass [ sudo apt-get install sshpass ]
command:
sshpass -p <remoteServerPassword> ssh -p <ifYouHaveCustomePassword> id@remoteServer
NOTE: the above command have other options where you can pass the password from a file or from a env variable. Check [ sshpass -h ] for more info.
Using above command later you can do the same things what ever you want to do using the ssh command.
Another command:
Let's say running a command:
sshpass -p <remoteServerPassword> ssh id@removeServer "command"
The following command will update your public key to the remote server:
ssh-copy-id | sshpass -p <remoteServerPassword> id@remoteServer
or
cat ~/.ssh/id_rsa.pub | sshpass -p bitumund ssh amitmund@crushmypage "cat >> ~/.ssh/authorized_keys"
cat .ssh/id_rsa.pub | ssh user@123.45.56.78 "cat >> ~/.ssh/authorized_keys"
cat ~/.ssh/id_rsa.pub | sshpass -p bitumund ssh amitmund@crushmypage "cat >> ~/.ssh/authorized_keys"
amit@AmitAsus:~$ openssl passwd -1 $rootpw
$1$JanOnEuV$7kohbOMqhjhMc70WWhYsk0
need a sed script to update the /etc/shadow file of that user.
sed -i "s/"test:[$./0-9a-zA-Z]*:"/"test:NewPasswd:"/g" test
amitmund@master:~$ cat test
test:NewPasswd:12:1
openssl passwd -1 $rootpw
$1$Ja8Zp6vP$1tJvqiNxfiePd9wTsDKq51
sudo sed "s/"^amitmund:[$./0-9a-zA-Z]*:"/"amitmund:MyPasswd:"/g" /etc/shadow
sudo sed -i "s/"^test:[$./0-9a-zA-Z]*:"/"test:MyPasswd:"/g" /etc/shadow
sudo sed -i "s/"^test:[$./0-9a-zA-Z]*:"/"test:'$1$Ja8Zp6vP$1tJvqiNxfiePd9wTsDKq51':"/g" /etc/shadow
NOTE: I had to keep the encrypted the password under (').
e.g if the password is [ asdfasd$asfw4$ ] then keep the same as :
'asdfasd$asfw4$'
And another IMP note: try not to have a "/" or "\" slash on the password string because I am using "/" as sed separater. If you still need that, then you can escape the same.
NOTE: If your key is password protected [ which is good ], then you need to use the "ssh-agent <shell> " and ssh-add to keep the auth information as a process, so that it will not ask you to enter the passphase of the key again and again.
So, How do you update the root password of 10K server when you don't have the ssh-key environment too?
1st: create a file which is having the list of the host. [ I have to understand parallel ssh too ]
1a: Most of the company who have large number of host, they keep those information under a data base... in this case you can pull the same from the db.
1b: If not all those server a part of some load-balancer [ lets say the httpServer come as FEHost load-balancer, so... the company might be having a api call to pull the hosts details if I provide the load-balancer information. so, in this case also you can pull the information.
1c: The company might be having a naming-convention [ HT# ] with some colo / data center wise....
Make a group by group file for first few time for same approach, once you get confident you can put all the file under a single file and update the same. [ Further I will try to solve the same with parallel execution ]
[ just as a fun: if the host is control by kerberos auth then you can update over there ? :) ]
2nd: create an encrypted password:
As per example I am updating the password for user user "test" and new password as "password"
for this:
2a: create a variable and assign the password on the same.
testUserPW=test
2b: generate a encrypted password:
openssl passwd -1 $testUserPW
$1$Ja8Zp6vP$1tJvqiNxfiePd9wTsDKq51
NOTE: escape the special character, e.g $ => \$, so that above password and give a (')
:'\$1\$Ja8Zp6vP\$1tJvqiNxfiePd9wTsDKq51'
NOTE: try checking with "escape character and (') where needed.
Following is working for me for user "test" and password "test"
"sed -i "s/"^test:[$./0-9a-zA-Z]*:"/"test:'\$1\$Ja8Zp6vP\$1tJvqiNxfiePd9wTsDKq51':"/g" /etc/shadow"
I have used both (') and (escape character ) at this example.
if you run the above command N time, you will get N time different password string, I will suggest chose some thing that is not having any slash [ (/) or (\) ], as I will be using (/) in SED replacement. If you still want the string with (/) then you can use something else in sed, at that time if that character is not there then it good.
NOTE: you use the above string with in the (') .
So, By now you have the list of servers and the encrypted password.
3: you need to have a command "sshpass" installed. [ you can save your current root password or a user with sudo permissions password over here. ]
for simplicity, over here I am using the password in the string.
for testing, you can try the command in command line, later you can put the same under the loop.
sshpass -p <yourRootPassword> ssh root@remoteServer "sed -i "s/"^test:[$./0-9a-zA-Z]*:"/"test:'\$1\$Ja8Zp6vP\$1tJvqiNxfiePd9wTsDKq51':"/g" /etc/shadow"
NOTE: When I tried in ubuntu with sudo, its asking again for sudo password and its failing, but as a root login it will not. I will update this blog with more information on this.
So, for all the hosts, let say the file that have all the host name with a new line, name is "ServersName":
for servers in `cat ServersName; do echo $servers; sshpass -p <YourRootPassword> ssh root@$servers "sed -i "s/"^test:[$./0-9a-zA-Z]*:"/"test:'\$1\$Ja8Zp6vP\$1tJvqiNxfiePd9wTsDKq51':"/g" /etc/shadow"; done
So, what is the above command is doing:
1. putting the server name at servers variable.
2. Echoing the server name, just for your reference.
3. Passing the password using "sshpass" command.
4. Updating the "/etc/shadow" file with the new encrypted string, that you got from "openssl" command.
NOTE: The string need to compatible. Over here I am using "sed" you can use "perl", "python" other things as per your need.
parallel-ssh:
[ you need install pssh for parallel-ssh ]
Following are few of the features:
1. In the following command you are passing user@host:port and the ssh option after -x "for example the ssh key" and later the command. It will run the command on the remote system and put the output on the screen:
$ parallel-ssh -i -H "user@server:port" -x "-i key" "command"
Following is the command example if you have to pass the key, port and user parameter:
$ parallel-ssh -i -h <FileWithServersList> -x "-i key -p port" -l ubuntu "command"
-Amit Kumar Mund
No comments:
Post a Comment