experiences with openssh automation

Mike Kallies mgjk-cpI+UMyWUv9BDgjK7y7TUQ at public.gmane.org
Mon Aug 8 22:32:56 UTC 2005 

Hello Everyone,

I've been doing some work with OpenSSH for automation with Linux Redhat,
and it seems time and time again I encounter problems where OpenSSH does
not allow for graceful failure.  It seems a nice simple:

  ssh servername command

will fail in automation when it encounters a set of servers with new host
key identifiers.

1.  Is there a way to programmatically update the host key identifier? 
Kind of a "yes, this is the right server, I know it changed" flag, option
or technique which I'm missing?

The following has the host key identification fail gracefully, it spews an
error about it and moves on, which is good.

  SSHCMD="ssh -q -o BatchMode=yes"
  $SSHCMD servername command

(I have to add host keys by ssh'ing to the server manually and saying
"yes" to let keep the keys up to date should they change.)

All this was just barely acceptable until I encountered a server with a
broken SSH daemon, now I'm considering writing a babysitting script which
backgrounds, sleeps and kills the SSH command if it times out.

I never had such problems with rsh...

2. Does anyone have any recommendations or experience as to how I can use
OpenSSH in a robust and reasonably secure fashion, so that it won't freeze
up on cron jobs, fail to time out and create a traffic jam of useless
processes?

3. Finally, since ssh as root is harmful, and automation can be doled out
on a piecemeal basis using sudo, does anyone have any tricks to integrate
ssh, sudo and su so that automation IDs can run remote commands without
having to handle multiple levels of escapes?

For example, automation which requires auditing /etc/shadow (hey, it does
happen!) begins to require scripts with statements like:

ssh -q -o MatchMode=yes server sudo su root -c \"grep \\\"expression\\\"
/etc/shadow\"

v.s.

rsh server grep \"expression\" /etc/shadow

When regular expressions begin to get involved in double-escapes, bad
things happen... simple statements begin to become easier to scp over and
execute from uniquely named temp files in priviliged directories.

It just gets ugly, but I'm sure I must not be the only one who's
encountered this kind of problem.

Any recommendations for books, websites or materials?  The O'Reilly book
seems to be more theory than practice on this stuff.


-Mike

--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml

More information about the Legacy mailing list