!http://www.sun.com/bigadmin/home/images/bigadminHeaderWikiThumb.jpg!
{section:border=false}
{column:width=20%}
{include:TOC for Tech Tips}
{column}
{column:width=55%}
by [Joseph Kwan|http://wikis.sun.com/display/~rabbit6]
h2. Overview
Direct root login via *ssh* should be avoided. Instead administrative (aka root) work should be done by su'ing to root or using *sudo*. Apple's Mac OS X doesn't even have the root account enabled - everything must be done by using sudo. My systems are managed by having one master host upon which I make all my updates and rely on various scripts to update all the other systems running the same OS and configuration. That required root ssh permission on the master machine to the client machines.
The following technique allows remote updates via *rdist* and *rsync* using ssh from a master machine by using *sudo* on the client machines from a non-privileged account. That specific account is only authorized to execute two sudo commands. No other privileged authorization is permitted. The master machine has an ssh key generated for root, and this key is stored on each of the remote's non-privileged account for authorized ssh access (ssh access without a password). This allows the master root machine to have ssh access to each remote through the non-privileged account. sudo is then configured to allow the non-privileged account to execute the rdist/rsync commands as root. This is required since the master machine will send file updates requiring permission, file creation/deletion updates which must be done as root. Only the master machine's root account has access to the remote account (non-privileged) and only the one or two sudo authorizations are allowed.
h2. Setup
Set up the non-privileged account. In my configuration I use *remupd*. Note: I configure the account to use bash as the shell. There's a small shell function that needs to be set up for rdist. If a different shell is used, that will need to be modified.
1. */etc/passwd* entry
{noformat}
remupd:x:4761:60001:Remote Update Admin:/var/sys/remupd:/usr/bin/bash
{noformat}
2. */etc/shadow* entry
{noformat}
remupd:NP:::::::
{noformat}
Note: this shouldn't be "\*LK\*" which specifies a locked account as ssh might not allow access if an account is locked. I saw the following log message in syslog:
{noformat}
Nov 8 12:45:07 underscore sshd[1491]: [ID 800047 auth.info] User remupd not allowed because account is locked
{noformat}
3. *sudoers*
I define the following to authorize remupd to execute a couple of commands as root.
{noformat}
# Cmnd alias specification
Cmnd_Alias RSYNCDIST=/usr/local/bin/rsync, /usr/local/sbin/rdistd
...
remupd ALL=NOPASSWD:RSYNCDIST
{noformat}
The NOPASSWD flag allows remupd to execute the sudo without authentication.
4. *.bashrc* in home directory (_/var/sys/remupd_ in my configuration)
{noformat}
rdistd() (
/usr/local/bin/sudo /usr/local/bin/rdistd -S
)
{noformat}
This just sets up a shell function for rdistd for inbound rdist. If rdist isn't being used this can be removed.
5. *.ssh/authorized_keys2*
On the server root account, generate an ssh key and copy the public portion to each remote in the authorized_keys2 file (see authorized ssh access for more details).
{noformat}
ssh-keygen -d -N ""
{noformat}
then copy the *.ssh/id_dsa.pub* to the remotes *~remupd/.ssh/authorized_keys2* file.
h3. Testing
as root on the master machine
{noformat}
ssh -l remupd remote_host who
{noformat}
if set up correctly, this command should run without prompting for a password. This is the authorized ssh access test.
h3. rsync
The following command will run rsync manually and not update any files. It'll print out a list of files that need to be updated between the master and remote.
{noformat}
rsync -avHDn --delete --rsh="ssh -l remupd -x -c blowfish" \
--rsync-path="/usr/local/bin/sudo /usr/local/bin/rsync" \
/usr/ dixieland:/usr
{noformat}
This command runs an rsync check but doesn't actually update anything. Adjust the paths for sudo and rsync as necessary. This allows the ssh connection to be non-root which means it doesn't require the *PermitRoot* ssh setting on sshd to be enabled. The server root's ssh key is configured for authorized access to the non-root remupd account. The *sudo rsync* on the remupd account is is done to set up the root rsync on the remote so the link between the rsyncs run as root for proper operation.
h2. rdist
To test rdist, create a small script, and in the update portion, specify *remupd@remote* which specifies to use the user name remupd on the remote for running the rdistd (client portion of rdist).
*rdist -v -P rdsh -f r-s10-root*
_script fragment_
{noformat}
${UPDATE_LIST} -> ( remupd@${HOSTS} )
install -oremove,chknfs ;
except ${EXCEPTS} ;
{noformat}
This works with the non-root account remupd on the remote calling *sudo rdistd* (specified in that .bashrc function above), to start the rdistd as root so the files it receives from the rdist server can be updated appropriately. So the communication between the server and remote doesn't require root ssh to the remote but the end point link between them are executed as root via the sudo.
The standard rdist wrapper script I use is as follows.
*rdsh wrapper script*
{noformat}
#!/bin/sh
# rdist shell wrapper
# basically calls ssh with additional ssh options
#
if [ -x /usr/local/bin/ssh ]; then
exec /usr/local/bin/ssh -x -q -o "BatchMode yes" -c blowfish $* 2>/dev/null
else
echo "can't execute /usr/local/bin/ssh"
exit 1
fi
{noformat}
h2. Logging
In syslog (usually auth facility), the following example log messages are should be logged when these commands are executed:
{noformat}
Nov 14 00:03:07 sabrina sshd[6595]: Accepted publickey for remupd from 169.232.144.42 port 59746 ssh2
Nov 14 00:03:07 sabrina /usr/local/bin/sudo: remupd : TTY=unknown ; PWD=/var/sys/remupd ;
USER=root ; COMMAND=/usr/local/bin/rdistd -S
{noformat}
For rsync, the log messages look like:
{noformat}
Nov 14 00:05:45 sabrina sshd[6599]: Accepted publickey for remupd from 169.232.144.42 port 3407 ssh2
Nov 14 00:05:45 sabrina /usr/local/bin/sudo: remupd : TTY=unknown ; PWD=/var/sys/remupd;
USER=root ; COMMAND=/usr/local/bin/rsync --server -vlHogDtpr --delete . /usr
{noformat}
h2. Summary
Using rsync/rdist over ssh from a master machine to update files (such as /usr, /opt) is one way to manage a large number of machines centrally. However this may require remote root access and for more secure configurations, the *PermitRoot* sshd configuration should be disabled to prevent root logins via ssh. Coupling authorized ssh access with sudo on the remote end allows you to set up a communication link between a master and remote machine so that rsync/rdist will work properly.
{column}
{section}
{section:border=false}
{column:width=20%}
{include:TOC for Tech Tips}
{column}
{column:width=55%}
by [Joseph Kwan|http://wikis.sun.com/display/~rabbit6]
h2. Overview
Direct root login via *ssh* should be avoided. Instead administrative (aka root) work should be done by su'ing to root or using *sudo*. Apple's Mac OS X doesn't even have the root account enabled - everything must be done by using sudo. My systems are managed by having one master host upon which I make all my updates and rely on various scripts to update all the other systems running the same OS and configuration. That required root ssh permission on the master machine to the client machines.
The following technique allows remote updates via *rdist* and *rsync* using ssh from a master machine by using *sudo* on the client machines from a non-privileged account. That specific account is only authorized to execute two sudo commands. No other privileged authorization is permitted. The master machine has an ssh key generated for root, and this key is stored on each of the remote's non-privileged account for authorized ssh access (ssh access without a password). This allows the master root machine to have ssh access to each remote through the non-privileged account. sudo is then configured to allow the non-privileged account to execute the rdist/rsync commands as root. This is required since the master machine will send file updates requiring permission, file creation/deletion updates which must be done as root. Only the master machine's root account has access to the remote account (non-privileged) and only the one or two sudo authorizations are allowed.
h2. Setup
Set up the non-privileged account. In my configuration I use *remupd*. Note: I configure the account to use bash as the shell. There's a small shell function that needs to be set up for rdist. If a different shell is used, that will need to be modified.
1. */etc/passwd* entry
{noformat}
remupd:x:4761:60001:Remote Update Admin:/var/sys/remupd:/usr/bin/bash
{noformat}
2. */etc/shadow* entry
{noformat}
remupd:NP:::::::
{noformat}
Note: this shouldn't be "\*LK\*" which specifies a locked account as ssh might not allow access if an account is locked. I saw the following log message in syslog:
{noformat}
Nov 8 12:45:07 underscore sshd[1491]: [ID 800047 auth.info] User remupd not allowed because account is locked
{noformat}
3. *sudoers*
I define the following to authorize remupd to execute a couple of commands as root.
{noformat}
# Cmnd alias specification
Cmnd_Alias RSYNCDIST=/usr/local/bin/rsync, /usr/local/sbin/rdistd
...
remupd ALL=NOPASSWD:RSYNCDIST
{noformat}
The NOPASSWD flag allows remupd to execute the sudo without authentication.
4. *.bashrc* in home directory (_/var/sys/remupd_ in my configuration)
{noformat}
rdistd() (
/usr/local/bin/sudo /usr/local/bin/rdistd -S
)
{noformat}
This just sets up a shell function for rdistd for inbound rdist. If rdist isn't being used this can be removed.
5. *.ssh/authorized_keys2*
On the server root account, generate an ssh key and copy the public portion to each remote in the authorized_keys2 file (see authorized ssh access for more details).
{noformat}
ssh-keygen -d -N ""
{noformat}
then copy the *.ssh/id_dsa.pub* to the remotes *~remupd/.ssh/authorized_keys2* file.
h3. Testing
as root on the master machine
{noformat}
ssh -l remupd remote_host who
{noformat}
if set up correctly, this command should run without prompting for a password. This is the authorized ssh access test.
h3. rsync
The following command will run rsync manually and not update any files. It'll print out a list of files that need to be updated between the master and remote.
{noformat}
rsync -avHDn --delete --rsh="ssh -l remupd -x -c blowfish" \
--rsync-path="/usr/local/bin/sudo /usr/local/bin/rsync" \
/usr/ dixieland:/usr
{noformat}
This command runs an rsync check but doesn't actually update anything. Adjust the paths for sudo and rsync as necessary. This allows the ssh connection to be non-root which means it doesn't require the *PermitRoot* ssh setting on sshd to be enabled. The server root's ssh key is configured for authorized access to the non-root remupd account. The *sudo rsync* on the remupd account is is done to set up the root rsync on the remote so the link between the rsyncs run as root for proper operation.
h2. rdist
To test rdist, create a small script, and in the update portion, specify *remupd@remote* which specifies to use the user name remupd on the remote for running the rdistd (client portion of rdist).
*rdist -v -P rdsh -f r-s10-root*
_script fragment_
{noformat}
${UPDATE_LIST} -> ( remupd@${HOSTS} )
install -oremove,chknfs ;
except ${EXCEPTS} ;
{noformat}
This works with the non-root account remupd on the remote calling *sudo rdistd* (specified in that .bashrc function above), to start the rdistd as root so the files it receives from the rdist server can be updated appropriately. So the communication between the server and remote doesn't require root ssh to the remote but the end point link between them are executed as root via the sudo.
The standard rdist wrapper script I use is as follows.
*rdsh wrapper script*
{noformat}
#!/bin/sh
# rdist shell wrapper
# basically calls ssh with additional ssh options
#
if [ -x /usr/local/bin/ssh ]; then
exec /usr/local/bin/ssh -x -q -o "BatchMode yes" -c blowfish $* 2>/dev/null
else
echo "can't execute /usr/local/bin/ssh"
exit 1
fi
{noformat}
h2. Logging
In syslog (usually auth facility), the following example log messages are should be logged when these commands are executed:
{noformat}
Nov 14 00:03:07 sabrina sshd[6595]: Accepted publickey for remupd from 169.232.144.42 port 59746 ssh2
Nov 14 00:03:07 sabrina /usr/local/bin/sudo: remupd : TTY=unknown ; PWD=/var/sys/remupd ;
USER=root ; COMMAND=/usr/local/bin/rdistd -S
{noformat}
For rsync, the log messages look like:
{noformat}
Nov 14 00:05:45 sabrina sshd[6599]: Accepted publickey for remupd from 169.232.144.42 port 3407 ssh2
Nov 14 00:05:45 sabrina /usr/local/bin/sudo: remupd : TTY=unknown ; PWD=/var/sys/remupd;
USER=root ; COMMAND=/usr/local/bin/rsync --server -vlHogDtpr --delete . /usr
{noformat}
h2. Summary
Using rsync/rdist over ssh from a master machine to update files (such as /usr, /opt) is one way to manage a large number of machines centrally. However this may require remote root access and for more secure configurations, the *PermitRoot* sshd configuration should be disabled to prevent root logins via ssh. Coupling authorized ssh access with sudo on the remote end allows you to set up a communication link between a master and remote machine so that rsync/rdist will work properly.
{column}
{section}