I have a Linux machine where I have created a cgi script (JarPatch.cgi), the code of which looks like this:
#!/usr/bin/perl
use warnings;
print "Content-type: text/html\n\n";
system ("sh JarPatch.sh");
The code of JarPatch.sh looks like this:
#!/bin/bash
echo "Inside jar patching tool";
PJS_DEV=app4915#slcai833.us.oracle.com;
ssh -f $PJS_DEV "cd /slot/ems4915/appmgr/tmp; echo stopping server ; ./find_stop_servers.sh;"
echo "Exit jar patching tool";
This script will basically shut down a server running on the remote machine
Problem statement is this:
When I execute this cgi script through Linux terminal. I can see that the ssh commands are getting executed. Server is shut down.
When I access the cgi script through a windows machine in a browser, the shell script is invoked but ssh seems not to be working.
Can any one give me a pointer to resolve this issue please?
I am new to perl/shell integration. So might be missing something small as well.
Thanks
When you ssh from windows machine all connections are made as webuser which is not authorized to ssh into remote machine. On other hand when you ssh from linux terminal you are able to ssh as user there is authorized to do so. This is because linux user has its ssh key on remote server.
You can also try to look into ProxyCommand which might come to rescue but i have no idea how it will work with windows.
Other approach is to create ssh keys for webuser and put them into remomte server which will be security risk.
When you run it as yourself ssh is offering your keys to authenticate you. When you run it through the webserver, the webserver user is trying to run the ssh command, and does not have your ssh keys to offer, so is probably being prompted for a password, and not successfully logging in.
You could fix this by generating ssh keys for the webserver user and sharing that key with the target system as well, which has some security implications to say the least.
Related
I explain my problem:
I used backuppc for remote some database on an other server and for saving my data I used rsync which uses ssh. On my remote server I put the ssh key of backuppc and it worked.
But I wanted to secure this connexion, so I used rrsync (a perl script for restrict the access), for a "read-only" access with copy.
So now, in the remote server I have in root/ssh/authorized_keys
command="/usr/local/bin/rrsync -ro /" ssh-rsa
But when I try to connect I have this message:
/usr/local/bin/rrsync: Not invoked via sshd
It's a message from the perl script, but I don't know what it means or what can I do for this to work.
As far as I can tell, this message appears when you try to access the server with the restricted key without using rsync. It may be possible to edit the script to allow other programs, but I'm not skilled enough to attempt that.
I was trying to setup an SSH connection with Github following this tutorial:
Testing your SSH connection
I came across the following command:
$ ssh -T git#github.com
# Attempts to ssh to github
Curious, I looked at the ssh manual. It said the following:
-T Disable pseudo-tty allocation.
What is tty allocation? What does tty stand for? Why are we disabling it?I earnestly tried to look it up but I was unable to find even a definition.
As explained in "gitolite: PTY allocation request failed on channel 0", it is important to do ssh test connection with -T, because some server could abort the transaction entirely if a text-terminal (tty) is requested.
-T avoids requesting said terminal, since GitHub has no intention of giving you an interactive secure shell, where you could type command.
GitHub only wants to reply to your ssh request, in order to ascertain that the ssh command does work (you have the right public/private keys, and the public one has been registered to your GitHub account)
PuTTy would be an example of a terminal emulator, serial console and network file transfer application. It supports several network protocols, including SCP, SSH, Telnet and rlogin.
The name "PuTTY" has no definitive meaning, though "tty" is the name for a terminal in the Unix tradition, usually held to be short for Teletype.
Other use-cases for -T (beside testing)
Transferring binary files
Execute commands on a remote server
SSH tunneling: ssh -fnT -L port:server:port user#server (-f for background: you don't want to execute command, don't need a TTY and just want to establish a tunnel)
Encounter a question here whereby need help from you guys
I am writing a perl script that will be executed in a UNIX machine. In that script, I will perform an operation of 'ssh' to port over to other Unix domain (from A ssh to B). The problem now is after I port over to domain B, I still need to perform some operations from the perl script (for example: echo Hello World!). The issue here is after port over to the new unix domain, the following script after 'ssh' could not be performed as the script still over the "old domain". Is that anyway to solve this issue or any better way to achieve the same objective?
You can use the Expect module to open an SSH connection and execute commands over it via Perl.
If you need help beyond that, you'll have to explain more specifically what you are trying to do. It is possible that you have the wrong design for solving your task.
Try doing it like this:
ssh <servername> "echo 'hello world'";
Also check ssh with -t option.For checking if this echo command is running on the server or the localhost, try some other command like ls".
Note: : ssh connection will get closed when script will terminate.
I'm stuck in a bit of annoying situation.
There's a chain of machines between my desktop and the production servers. Something like this:
desktop -> firewall 1 -> firewall 2 -> prod_box 1
-> prod_box 2
-> ...
I'm looking for a way to automate deployment to the prod boxes via ssh.
I'm aware there are a number of solutions in general, but my restrictions are:
No changes permitted to firewall 2
No config changes permitted to prod boxes (only content)
firewall 1 has a local user account for me
firewall 2 and prod are accessed as root
port 22 is the only open port between each link
So, in general the command sequence I do to deploy is:
scp archive.tar user#firewall1:archive.tar
ssh user#firewall1
scp archive.tar root#firewall2:/tmp/archive.tar
ssh root#firewall2
scp /tmp/archive.tar root#prod1:/tmp/archive.tar
ssh root#prod1
cd /var/www/
tar xvf /tmp/archive.tar
Its a bit more complex than that in reality, but that's a basic summary of the tasks to do.
I've put my ssh key in firewall1:/home/user/.ssh/authorized_keys, so that's no problem.
However, I can't do this for firewall2 or prod boxes.
It'd be great if I could run this (commands above) from a shell script locally, type my password in 4 times and be done with it. Sadly I cannot figure out how to do that.
I need some way to chain ssh commands. I've spent all afternoon trying to use python to do this and eventually given up because the ssh libraries don't seem to support password-entry-style login.
What can I do here?
There must be some kind of library I can use to:
login via ssh using either a key file OR a dynamically entered password
remote remote shell commands through the chain of ssh tunnels
I'm not really sure what to tag this question, so I've just left it as ssh, deployment for now.
NB. It'd be great to use ssh tunnels and a deployment tool to push these changes out, but I'd still have to manually login to each box to setup the tunnel, and that wont work anyway, because of the port blocking.
I am working on Net::OpenSSH::Gateway, an extension for my other Perl module Net::OpenSSH that does just that.
For instance:
use Net::OpenSSH;
use Net::OpenSSH::Gateway;
my $gateway = Net::OpenSSH::Gateway->find_gateway(
proxies => ['ssh://user#firewall1',
'ssh://password:root#firewall2'],
backend => 'perl');
for my $host (#prod_hosts) {
my $ssh = Net::OpenSSH->new($host, gateway => $gateway);
if ($ssh->error) {
warn "unable to connect to $host\n";
next;
}
$ssh->scp_put($file_path, $destination)
or warn "scp for $host failed\n";
}
It requires Perl available in both firewalls, but no write permissions or installing any additional software there.
Unfortunately this isn't possible to do as one shell script. I did try, but ssh's password negotiation requires an interactive terminal, which you don't get with chained ssh commands. You could do it with passwordless keys, but since that's highly insecure and you can't do it anyway, nevermind.
The basic idea is that each server sends a bash script to the next one, which is then activated and sends the next one (and so on) until it reaches the last one, which does the distribution.
However, since this requires an interactive terminal at each stage, you're going to need to follow the payload down the chain manually executing each script as you go, somewhat as you do now but with less typing.
Obviously, you will need to customise them a bit, but try these scripts:
script1.sh
#!/bin/bash
user=doug
firewall1=firewall_1
#Minimise password entries across the board.
tar cf payload1.tar script3.sh archive.tar
tar cf payload2.tar script2.sh payload1.tar
scp payload2.tar ${user}#${firewall1}:payload2.tar
ssh ${user}#${firewall1} "tar xf payload2.tar;chmod +x script2.sh"
echo "Now connect to ${firewall1} and run ./script.sh"
script2.sh
#!/bin/bash
user=root
firewall2=firewall_2
# Minimise password entries
scp payload1.tar ${user}#${firewall2}:/tmp/payload1.tar
ssh ${user}#${firewall2} "cd /tmp;tar xf payload1.tar;chmod +x script3.sh"
echo "Now connect to ${firewall2} and run /tmp/script3.sh"
script3.sh
#!/bin/bash
user=root
hosts="prod1 prod2 prod3 prod4"
for host in $hosts
do
echo scp archive.tar ${user}#${host}:/tmp/archive.tar
echo ssh ${user}#${host} "cd /var/www; tar xvf /tmp/archive.tar"
done
It does require 3 password entries per firewall which is a bit annoying, but such is life.
This do you any good?
I was wondering if anyone has tried using teamcity's command line builder to perform ssh remote login.
Right now, I would like to automate some testing on a QNX neutrino OS which is currently unsupported by teamcity. As a work around, I setup a ssh server on the target qnx machine so i could ssh and sftp the executables in.
Firstly, the source are compiled on Windows XP using qnx's compiler (based on g++). Followed by sftp-ing the executables into qnx neutrino.
Next, using ssh, script the login to remotely start the test apps and send the results back to the remote agent for publishing.
The batch script I created works well standalone, however, after hooking it up on the remote agent, it fails to login ssh and hangs indefinitely at the following command:
ssh -l "./.sh"
Notes:
I have added the remote agent's RSA public key in the QNX .ssh/authorized keys file, automatic login is working.
Is there a need to add the teamcity server's RSA public key in too?
Anyone has any idea on this problem?
I had a few weird problems with key-based SSH logins on QNX related to file permissions for the keys in .ssh. and permissions of parent folders (/home/username and /root).
Add
LogLevel DEBUG3
to /etc/openssh/sshd_config, make sure syslog is configured and is logging sshd output, restart sshd and try again - it will most likely complain about something.
Also, ssh -l "./.sh" makes no sense - -l is used to specify the user name, something is off there.