|
SysAdmin Topics
|
by Joseph Kwan OverviewDirect root login via ssh should be avoided. Instead administrative (aka root) work should be done by su'ing to root or using sudo. Apple's Mac OS X doesn't even have the root account enabled - everything must be done by using sudo. My systems are managed by having one master host upon which I make all my updates and rely on various scripts to update all the other systems running the same OS and configuration. That required root ssh permission on the master machine to the client machines. The following technique allows remote updates via rdist and rsync using ssh from a master machine by using sudo on the client machines from a non-privileged account. That specific account is only authorized to execute two sudo commands. No other privileged authorization is permitted. The master machine has an ssh key generated for root, and this key is stored on each of the remote's non-privileged account for authorized ssh access (ssh access without a password). This allows the master root machine to have ssh access to each remote through the non-privileged account. sudo is then configured to allow the non-privileged account to execute the rdist/rsync commands as root. This is required since the master machine will send file updates requiring permission, file creation/deletion updates which must be done as root. Only the master machine's root account has access to the remote account (non-privileged) and only the one or two sudo authorizations are allowed. SetupSet up the non-privileged account. In my configuration I use remupd. Note: I configure the account to use bash as the shell. There's a small shell function that needs to be set up for rdist. If a different shell is used, that will need to be modified. 1. /etc/passwd entry remupd:x:4761:60001:Remote Update Admin:/var/sys/remupd:/usr/bin/bash 2. /etc/shadow entry remupd:NP::::::: Note: this shouldn't be "*LK*" which specifies a locked account as ssh might not allow access if an account is locked. I saw the following log message in syslog: Nov 8 12:45:07 underscore sshd[1491]: [ID 800047 auth.info] User remupd not allowed because account is locked 3. sudoers # Cmnd alias specification Cmnd_Alias RSYNCDIST=/usr/local/bin/rsync, /usr/local/sbin/rdistd ... remupd ALL=NOPASSWD:RSYNCDIST The NOPASSWD flag allows remupd to execute the sudo without authentication. 4. .bashrc in home directory (/var/sys/remupd in my configuration) rdistd() ( /usr/local/bin/sudo /usr/local/bin/rdistd -S ) This just sets up a shell function for rdistd for inbound rdist. If rdist isn't being used this can be removed. 5. .ssh/authorized_keys2 ssh-keygen -d -N "" then copy the .ssh/id_dsa.pub to the remotes ~remupd/.ssh/authorized_keys2 file. Testingas root on the master machine ssh -l remupd remote_host who if set up correctly, this command should run without prompting for a password. This is the authorized ssh access test. rsyncThe following command will run rsync manually and not update any files. It'll print out a list of files that need to be updated between the master and remote. rsync -avHDn --delete --rsh="ssh -l remupd -x -c blowfish" \
--rsync-path="/usr/local/bin/sudo /usr/local/bin/rsync" \
/usr/ dixieland:/usr
This command runs an rsync check but doesn't actually update anything. Adjust the paths for sudo and rsync as necessary. This allows the ssh connection to be non-root which means it doesn't require the PermitRoot ssh setting on sshd to be enabled. The server root's ssh key is configured for authorized access to the non-root remupd account. The sudo rsync on the remupd account is is done to set up the root rsync on the remote so the link between the rsyncs run as root for proper operation. rdistTo test rdist, create a small script, and in the update portion, specify remupd@remote which specifies to use the user name remupd on the remote for running the rdistd (client portion of rdist). rdist -v -P rdsh -f r-s10-root script fragment ${UPDATE_LIST} -> ( remupd@${HOSTS} )
install -oremove,chknfs ;
except ${EXCEPTS} ;
This works with the non-root account remupd on the remote calling sudo rdistd (specified in that .bashrc function above), to start the rdistd as root so the files it receives from the rdist server can be updated appropriately. So the communication between the server and remote doesn't require root ssh to the remote but the end point link between them are executed as root via the sudo. The standard rdist wrapper script I use is as follows. rdsh wrapper script #!/bin/sh
# rdist shell wrapper
# basically calls ssh with additional ssh options
#
if [ -x /usr/local/bin/ssh ]; then
exec /usr/local/bin/ssh -x -q -o "BatchMode yes" -c blowfish $* 2>/dev/null
else
echo "can't execute /usr/local/bin/ssh"
exit 1
fi
LoggingIn syslog (usually auth facility), the following example log messages are should be logged when these commands are executed: Nov 14 00:03:07 sabrina sshd[6595]: Accepted publickey for remupd from 169.232.144.42 port 59746 ssh2
Nov 14 00:03:07 sabrina /usr/local/bin/sudo: remupd : TTY=unknown ; PWD=/var/sys/remupd ;
USER=root ; COMMAND=/usr/local/bin/rdistd -S
For rsync, the log messages look like: Nov 14 00:05:45 sabrina sshd[6599]: Accepted publickey for remupd from 169.232.144.42 port 3407 ssh2
Nov 14 00:05:45 sabrina /usr/local/bin/sudo: remupd : TTY=unknown ; PWD=/var/sys/remupd;
USER=root ; COMMAND=/usr/local/bin/rsync --server -vlHogDtpr --delete . /usr
SummaryUsing rsync/rdist over ssh from a master machine to update files (such as /usr, /opt) is one way to manage a large number of machines centrally. However this may require remote root access and for more secure configurations, the PermitRoot sshd configuration should be disabled to prevent root logins via ssh. Coupling authorized ssh access with sudo on the remote end allows you to set up a communication link between a master and remote machine so that rsync/rdist will work properly. |
Sign up or Log in to add a comment or watch this page.