Shpak/ssh

From Nano Group Budapest
Jump to: navigation, search

SSH is the standard way of securely accessing remote shell. Its implementation is based on the public key authentication which we a priori believe to be secure enough. The whole story, however, contains file access as well that means mounting remote machines via SSH by Fuse. Shpak integrate these ssh-related tasks by providing a unified interface for ssh, scp and sshfs commands. The key and configuration infrastructure is completely separated from the user's default ssh configuration found in $HOME/.ssh.

SSH Client

Configure

Each remote account is stored in a key-value file called MID-file in shpak/mid/ssh/. The name of the file is the identifier for the account. All the necessary information for the ssh-related commands are stored in this file. You have to create MID-files from this template:

 # cluster identifier for the cls module
 sp_g_cluster="default"
 
 # fqdn of the remote machine
 sp_g_ssh_fqdn="f.q.d.n"
 
 # MID
 sp_g_ssh_mid="template"
 
 # remote username
 sp_g_ssh_user="${USER}"
 
 # common ssh port
 sp_g_ssh_port=22
 
 # common ssh options
 sp_g_ssh_copts="-o TCPKeepAlive=no -o ServerAliveInterval=30"
 
 # ssh login options
 sp_g_ssh_opts="-XC ${sp_g_ssh_copts} -p ${sp_g_ssh_port}"
 
 # scp options
 sp_g_scp_opts="-r -C -P ${sp_g_ssh_port}"
 
 # remote environment for ssh commands
 sp_g_ssh_env=".bashrc"
 
 # remote destination directory for sshpush
 sp_p_scp_remote="/home/${sp_g_ssh_user}/xfer"
 
 # local destination for sshpull
 sp_p_scp_local="${HOME}/xfer/${sp_g_ssh_mid}"
 
 # ssh login proxy tunnel options
 sp_g_ssh_proxy="-L63128:localhost:3128"
 
 # remote directory mounted by sshmnt
 sp_p_sshfs_remote="/"
 
 # local directory for the remote mount
 sp_p_sshfs_local="${sp_p_sshfs}/${sp_g_ssh_mid}"
 
 # sshmount options
 sp_g_sshfs_opts="-C ${sp_g_ssh_copts} -o rw -o follow_symlinks -o Port=${sp_g_ssh_port}"

Generate login key

It is more secure to use keys than passwords. A private/public keypair can be generated for a MID with the following command:

 sshkey -m MID

Keys are stored in shpak/key/ssh/ directory. Public keys end with .pub should be securely copied or brought to the remote host and added to $HOME/.ssh/authorized_keys file. You can change the password of the key by:

 sshkey -p -m MID

Usage

All commands have the general -m option for the MID. If the MID is the only one option then -m can be omitted (short form). Each login and mount is protected by a lock file not to establish proxy connections or mount requests twice. However, after a not clean logout or unmount lock files remain. You can force commands against the lock with the -f flag. If you use ssh-agent and get connection failed, usually due to wardriving, reset agent key cache by the sshz command.

Login

Login to a remote account (MID):

 sshto -m MID

Remote commands

Run remote commands by:

 sshcmd -m MID -x "COMMAND ARGS"

If you set sp_g_ssh_env in the MID-file then this environment is sourced for the command on the remote machine. Usually you want to source .bashrc eg. to include Shpak for the remote command on the remote side as well.

File transfer

File transfer to a remote account is handled by scp. First you have to create the remote xfer directory (sp_p_scp_remote):

 sshcmd -m MID -x "mkdir xfer"

Secure copy is done by push and pull requests to and from the remote host transfer directory (sp_p_scp_remote). To send a file or a directory:

 sshpush -m MID -s FILE

to receive:

 sshpull -m MID -s FILE

Transfer mode can be set by -t MODE, where MODE is 1 for scp (default), 2 for tar/ssh, 3 for rsync/ssh.

Remote xfer directory can be listed by

 sshcmd MID

Mount

Remote mount vis ssh is only available if Fuse and sshfs is installed. On OS X download fuse from Google Code and switch to the Beta version. The sshfs module is a static binary also from Google. Put this into shpak/bin/ directory. On Linux both program can be installed by the package manager.

Remote machines are mounted in the ${HOME}/sshfs/ directory. To mount a host:

 sshmnt -m MID

to unmount:

 sshumnt -m MID

The sshmnt command lists your remote mounts.