experiences with openssh automation

[Robert Brockway]

On Mon, 8 Aug 2005, Mike Kallies wrote:

> 1.  Is there a way to programmatically update the host key identifier? 

Yes as Frank points out.  But you have to ask yourself if this is a path 
you want to follow.  The host key identifier is there for a reason.  In 
particular it helps to prevent man-in-the-middle attacks.

> I never had such problems with rsh...

You never had any security with rsh either :)
 
> 2. Does anyone have any recommendations or experience as to how I can use
> OpenSSH in a robust and reasonably secure fashion, so that it won't freeze

Use host key identifiers ;)

> up on cron jobs, fail to time out and create a traffic jam of useless
> processes?

Check for an active ssh connection?  netstat -p will do this.

> 3. Finally, since ssh as root is harmful, and automation can be doled out
> on a piecemeal basis using sudo, does anyone have any tricks to integrate
> ssh, sudo and su so that automation IDs can run remote commands without
> having to handle multiple levels of escapes?
> 
> For example, automation which requires auditing /etc/shadow (hey, it does
> happen!) begins to require scripts with statements like:
> 
> ssh -q -o MatchMode=yes server sudo su root -c \"grep \\\"expression\\\"
> /etc/shadow\"

IMHO if you have so many boxes that auditing /etc/shadow can't be done 
manually you need to look at some other form of authentication.  Allowing 
automated access via ssh to an account that can sudo to root is just 
opening a window for exploitation.

Rob

-- 
Robert Brockway B.Sc.		Phone:	+1-416-669-3073
Senior Technical Consultant	Email:	support-wgAaPJgzrDxH4x6Dk/4f9A at public.gmane.org
OpenTrend Solutions Ltd.	Web:	www.opentrend.net
We are open 24x7x365 for technical support.  Call us in a crisis.
--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml