[ale] ssh question

mike at trausch.us mike at trausch.us
Thu May 10 14:11:27 EDT 2012 

On 05/10/2012 07:59 AM, Edward Holcroft wrote:
> Morning all
> 
> I need to run a command on an internal server that will restart a given
> service, in this case asterisk, without user intervention. I using this:
> 
> sshpass -p '1qazxsw2' ssh -o StrictHostKeyChecking=no root at 192.168.50.87
> <mailto:root at 192.168.50.87> /etc/init.d/asterisk restart

First off, use keys not a password.  You can then limit keys to
particular commands and even use keys to implement access controls on a
single account, à la gitosis.

Secondly, if it is an option, use "sudo", so that you can do something
like this:

$ ssh user at host sudo service asterisk restart
[output goes here]
Connection to host closed.
$

Sudo will take care of a good chunk of issues that pertain to
environments.  Keep in mind that SSH will transfer a lot of your local
environment to the remote host if given the chance, so using env or sudo
on the remote side is simply a Good Idea™.

Third, don't disable StrictHostKeyChecking.  Fix your known hosts
file(s) and USE THAT EXTRA SECURITY.  This is the ONLY way that you
actually know that you are talking to the correct remote host.

> The problem is this command never logs out:
> 
> Stopping safe_asterisk: [  OK  ]
> Shutting down asterisk: [  OK  ]
> Starting asterisk: [  OK  ]
> 
> .... and there it sits, until I manually close it

Initiate another connection to the given host and see what is still
running in the context of that SSH connection.  The forest option to ps
should help to track that down.

> I also tried using -t with the ssh command, which closes the session,
> but without restarting the service, even though it says it did:
> 
> $ sshpass -p '1qazxsw2' ssh -o StrictHostKeyChecking=no -t
> root at 192.168.50.87 <mailto:root at 192.168.50.87> "/etc/init.d/asterisk
> restart"
> Stopping safe_asterisk:                                    [FAILED]
> Shutting down asterisk:                                    [FAILED]
> Starting asterisk:                                         [  OK  ]
> Connection to 192.168.50.87 closed.

What do the system logs say after this?

> I found this article:
> 
> http://www.snailbook.com/faq/background-jobs.auto.html
> 
> And tried:
> 
> $ sshpass -p '1qazxsw2' ssh -o StrictHostKeyChecking=no
> root at 192.168.50.87 <mailto:root at 192.168.50.87> /etc/init.d/asterisk
> restart < /dev/null
> 
> which also does not close.
> 
> Any ideas on how I can get this to run the way I want it to?

I'd say that the first few steps are:

 1.  Create a single-purpose SSH key to authenticate to a non-root
     account.

 2.  Use sudo to run your init script to bounce the service.  If your
     distribution provides a service control manager, use it instead.
     (e.g., use "sudo service asterisk restart" instead of
     "sudo /etc/init.d/asterisk restart").

 2a. Make your SSH key a single purpose key which can only be used to
     execute the command from the previous step, and nothing more.

 3.  Do not use a terminal (ssh -t) unless you are running curses
     applications or applications which realistically need to be run
     with a controlling terminal.  You MUST use -t if you run sudo
     and have to enter a password (UNLESS, that is, you use sudo's
     SUDO_ASKPASS feature).  I would permit the user account with the
     single-purpose key to be able to run the command without having
     to authenticate to sudo again.

In order to keep the security within acceptable bounds:

 - Ensure that your SSH key has a passphrase if it will only be manually
   run.  If it needs to be automatically run, then you need to store the
   private key unencrypted, and you need to ensure that it has 0600
   permissions on the local host.

 - Always ensure that the .ssh/authorized_keys on the remote is 0600 as
   well.

 - Disable password authentication on the account on the remote host.

 - Ensure that the authorized_keys entry ONLY allows that single
   command.

See sshd(8) for information on single-purpose SSH keys, if you are
currently unfamiliar with them.  Here is a single example from that man
page (supposed to be one line but it doesn't fit, sorry):

command="dump /home",no-pty,no-port-forwarding ssh-dss [KEYTXT] example.net

	--- Mike

-- 
A man who reasons deliberately, manages it better after studying Logic
than he could before, if he is sincere about it and has common sense.
                                   --- Carveth Read, “Logic”

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 729 bytes
Desc: OpenPGP digital signature
Url : http://mail.ale.org/pipermail/ale/attachments/20120510/ebee03e2/attachment.bin

More information about the Ale mailing list