I need to run shell commands on several servers. Is there a secure way to do this? Right now im thinking of exposing a php url that allows me to send pure script commands and let the web server spit out a json response. But this is a lot of work and doesnt sound like it will be very secure.
I want to run commands like "ping", "whois" and other network commands. Its about seeing connectivity between different servers. I.e. Server in germany can talk to the server in the us, etc
Use ssh. Read a good ssh tutorial. You want to use it with a public key (to avoid typing passwords).
Of course, you need to have an SSH server process running on the remote server machines.
Related
Let's state a situation:
I have the possibility to run arbitrary commands on a server as an unprivileged user, through "unconventional means".
I do not have the possibility to login using ssh to that server, either as my unprivileged user or anything else. So I do not have currently a CLI allowing me to run any commands I would like in a "normal" way.
I can ping that server and nothing prevents me to connect to arbitrary ports.
I still would like to have a command line to allow me to run arbitrary command as i wish on that server.
Theoretically nothing would prevent me to launch any program as my unprivileged user, including one that would open a port, allow some remote user to connect to it and just forward any commands to bash, returning the result. I just don't know any good program to do that.
So, does any one know? I looked at ways to launch ssh_server as an unprivileged user but some users reported that recent versions of ssh_server do not allow that anymore. Actually I don't even need ssh specifically, any way to get a working CLI would do the trick. Even a crappy node.js program launching an http server would work, as long as I have a CLI (... and it's not excessively crappy, the goal is to have a clean CLI, not something that bugs every two characters).
In case you would ask why I would like to do that, it's not related to anything illegal ^^. I just have to work with a very crappy Jenkins server for which I'm not allowed to have direct access to its agents. Whoever is responsible for that server doesn't give a sh** about its users' needs so we have to use hacky solutions just to have some diagnostic data about that server (like ram, cpu and disk usage, installed programs, etc...). Having a CLI that I can launch some time instead of altering a build configuration and waiting 20 minutes to have an answer about what's going on would really help.
Thanks in advance for any answer.
So do you have shell access to the server at least once? E.g., during the single day of the month when you are physically present at the site of your client or the outsourcing contractor?
And if you have shell access then, can you or your sysmin install Cockpit?
It listens on port 9090.
You can then use the credentials of your local user and open a terminal window in your browser. See sidebar item "Terminal" on the screenshots of the cockpit homepage.
According to the documentation
Cockpit has no special privileges and doesn’t run as root. It creates a session as the logged in user and has the same permissions as that user.
I have several scripts on my local machine. These scripts run install and configuration commands to setup my Elasticsearch nodes. I have 15 nodes coming and we definitely do not want to do that by hand.
For now, let's call them Script_A, Script_B, Script_C and Script_D.
Script_A will be the one to initiate the procces, it currently contains:
#!/bin/bash
read -p "Enter the hostname of the remote machine: " hostname
echo "Now connecting to $hostname!"
ssh root#$hostname
This works fine obviously and I can get into any server I need to. My confusion is running the other scripts remotely. I have read few other articles/SO questions but I'm just not understanding the methodology.
I will have a directory on my machine as follows:
Elasticsearch_Installation
|
|=> Scripts
|
|=> Script_A, Script_B, etc..
Can I run the Script_A, which remotes into the server, then come back to my local and run Script_B and so on within the remote server without moving the files over?
Please let me know if any of this needs to be clarified, I'm fairly new to the Linux environment in general.. much less running remote installs from scripts over the network.
Yes you can. Use ssh in non interactive mode, it will be like launching a command in your local environment.
ssh root#$hostname /remote/path/to/script
Nothing will be changed in your local system, you will be at the same point where you launched the ssh command.
NB: this command will ask you a password, if you want a really non interactive flow, set up host a passwordless login, like explained here
How to ssh to localhost without password?
You have a larger problem than just setting up many nodes: you have to be concerned with ongoing maintenance and administration of all those nodes, too. This is the space in which configuration management systems such as Puppet, Ansible, and others operate. But these have a learning curve to overcome, and they require some infrastructure of their own. You would probably benefit from one of them in the medium-to-long term, but if your new nodes are coming next week(ish) then you probably want a solution that you can use immediately to get up and going.
Certainly you can ssh into the server to run commands there, including non-interactively.
My confusion is running the other scripts remotely.
Of course, if you want to run your own scripts on the remote machine then they have to be present there, first. But this is not a major problem, for if you have ssh then you also have scp, the secure copy program. It can copy files to the remote machine, something like this:
#!/bin/bash
read -p "Enter the hostname of the remote machine: " hostname
echo "Now connecting to $hostname!"
scp Script_[ABCD] root#${hostname}:./
ssh root#hostname ./Script_A
I also manage Elasticsearch clusters with multiple nodes. A hack that works for me is using Terminator Terminal Emulator and split it into multiple windows/panes, one for each ES node. Then you can broadcast the commands you type in one window into all the windows.
This way, you run commands & view their results almost interactively across all nodes parallely. You could also save this layout of windows in Terminator, and then you can get this view quickly using a shortcut.
PS, this approach will only work of you have only small number of nodes & that too for small tasks only. The only thing that will scale with the number of nodes & the number of times and variety of tasks you need to perform will probably be a config management solution like Puppet or Salt.
Fabric is another interesting project that may be relevant to your use case.
Use case:
I would like to host a console application I built on an EC2 instance on AWS and give very strict limited access to the people who will connect to it:
They must not be able to access the shell or execute any command on the machine
They must not be able to use port forwarding
They must not be able to copy or read anything from that machine, especially not environment variables
They are only allowed to use that console application
My solution:
Create a user:
I replace its shell by the console application so the user can only access to that and nothing else
Disable port forwarding
I'm not sure if that would be enough to secure the machine. That's why I'm asking here some advice or confirmation that this will work and will be 100% secure.
As we discussed on the comment section of your question:
If you manage to replace the shell of the user for your application console and guarantee that it's not possible to run bash commands, terminal built-in functions (like export, enable, disable), and make sure that your application console have the right permissions (rwx) to interact with only the files and paths that your application needs to interact, then, you should be fine.
I want to run few scripts (jmeter scripts) in few AWS ubuntu machines and windows7 machines. Usually I use WinScp (transfer files), putty (run commands) for linux and Remote Desktop Connection for windows machines, to do the work manually.
Now I want to automate these processes and would like to know how to achieve that. My intention is to write code to,
connect to these machines,
copy the scripts,
run the scripts,
fetch the log files and
close the machine
I also want to schedule them. What is the best way of doing this? Also I prefer that the code that I write can be hosted somewhere (so that rest api can be exposed) or called as a direct library (API) in my java server.
I know that chef scripts can be written, but want to know any other alternatives. https://www.chef.io/chef/
Thanks a ton in Advance.
I usually use PuTTY to execute commands on a Linux machine. But I wish to make a webpage from where I can execute specific commands on a Linux machine by simple button clicks.
What are the various options available and what is the one that is easy to implement?
This depends on the kind of server you are running. But almost all servers have some kind of CGI support or an equivalent. Keep in mind that this can often cause a security issue.
I don't think you can and should try to embed script code in your page.
The best suggestion may be to hyperlink a script file and let the user get it from your server.
Just put that file on the server and then hyperlink it.
securewebcmd can do this for you
can use http or https
password protected
password not transmitted in clear, even using http (hashes the commandline with the password, and server does the same thing, using its copy of the password, and only runs the command, if the hashes match)
can queue commands, which run sequentially
can view results of any of the commands you've run earlier, even if you restart the server
uses nodejs: no dependency on any heavyweight server, ie no need for apache, jboss etc ...