dilemma what to use c++ or script for demon process Post: 302285432

Sponsored Content

Top Forums Shell Programming and Scripting dilemma what to use c++ or script for demon process Post 302285432 by ddreggors on Monday 9th of February 2009 02:00:10 AM

02-09-2009

Registered User

We use a similar process to manage several hundred servers. We have taken 3 approaches over the last 3 years.

1. Daemon (c++) that listens on a port and runs the passed args as command.
2. Bash script using ssh to issue command using ssh keys to make this a password-less process.
3. Bash script using expect.

Using a compiled c++ app running as a listening daemon was great for ease but very bad for security. We had to add in the ability to only allow admin IP's set in a conf file and in the end realized that this was a real bad security risk even with IP based ACL's.

The second method, worked well also. Again having ssh keys laying around on a file system was not the best idea either.This method was also ultimately aborted. PCI compliance prohibited usage of both the above.

In the end we agreed that using expect was less of a risk. We can use bash to script the things we need and use expect (inline in the bash) to handle the ssh login and pass the command and exit.

We use the read command to take in user and password as the script runs and store the user/pass in a variable and then pass to expect as needed.

While this is what we use it may or may not be your best approach. This all boils down to YOUR needs and requirements.

Also note that using read to store user and pass and then passing to expect will allow a non-admin to see the password if they run the "ps" command. This is only possible for a split second while expect spawns the ssh command to the remote host and is FAR better than having an ssh key or worse a user/password hard coded in a file somewhere.

The c++ approach will expose a port that can be seen and runs all the time. It will only take minutes for a good hacker to target that port. If that daemon is running as root then you are in real jeopardy at that point of having your whole system compromised! To make matters worse if (as you say) you have multiple machines using this daemon then all are at risk of this compromise.

Not sure if you have heard of webmin, but many also use webmin for this purpose as webmin allows you to "cluster" groups of machines and send commands, update packages/applications, add/update/delete users, edit configurations, and way more of all machines you have added to webmin console at once.

Webmin is quite mature and has very good security tools (SSL login, and user/host based ACL's as well).

EDIT:

Also, another good thing to use, no matter which method you decide to use. If at all possibe, create a shared location (NFS?) to store scripts that are for admin type processes. Then all you have to do is cycle through the list of hosts and all the command from the common nfs location.

Example:

Create an NFS export on your NFS server.
On hosts 1-4 have them all mount the share as "/nfs1"

Place admin scripts in "/nfs1/admin" (/nfs1/admin/update_users.sh or whatever).

Now hosts 1-4 can all use the script from the same location so all you have to do is this:

Code:

HOSTS="host1 host2 host2 host4" 
# This can also be stored in a table in a database and retrived via sql so you do not have to change all files every time you add a host!

for SRV in $HOSTS
do
    ssh $SRV /nfs1/admin/update_users.sh
done

Of course this is assuming an ssh connection and NOT a daemon, and does not show any expect examples but you get the idea.

Last edited by ddreggors; 02-09-2009 at 03:17 AM..

ddreggors

View Public Profile for ddreggors

Find all posts by ddreggors

8 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

A Terminal Dilemma

Hi everyone, I hope this is the right place to ask this question... I have a contract to convert a mainframe/DB2 application to using AIX/Oracle. Everything went fine but we are now running into a terminal problem. With the Mainframe app, the clients had great response time from remote...

2. Programming

dilemma in control flow

hello im facing a queer problem when i execute the foll code in unix # include <stdio.h> # include <unistd.h> main(int argc,char *argv) { FILE *fp = fopen("/ras/chirag/fifotest/file.fifo","a"); int i=1; fprintf(fp,argv); printf("I SLEEP"); system("date"); for (i=0;i<50;i++)...

3. Shell Programming and Scripting

perl demon how to ?

Hello im kinda new to perl programming in unix i need to make some kind of perl demon that sites and waits to see if there is files in the dir if there is complete file ( not part of it ) , I need to mv it to different dir ok so the easy parts to cp files and perl I know , but how the hell...

4. Solaris

DiskSuite dilemma

Hello, We have this system a SunFire 280R running Solaris 8 Generic_117350-46. It has 2 36GB disks in it. They are mirrored with DiskSuite 4.2.1. When we execute a metastat all the devices report an Okay status, but when we go into metatool everything is in the Critical (maintenance)...

5. What is on Your Mind?

Final Year Project dilemma

Hello everyone. Need some final year project ideas - what is actual/feasible and beneficial experience-wise? Preferably something related to Networking / Linux / UNIX / Security . Appreciate any help/idea. E.K.

6. Red Hat

Patch management dilemma

I've inherited about 10 RHEL 3 boxes that are located in Europe behind a corporate firewall with no access to rhn.redhat.com I've been tasked with patching all of these systems but I ask, Does redhat issue patch bundles? In AIX, there are maintenance levels and Sun has patch clusters available...

7. UNIX and Linux Applications

emacs gnus-demon not running

My understanding of the gnus-demon is that it should run its handlers each gnus-demon timestep. I have my gnus demon timestep set to the default 60 seconds. I have registered one handler that prints something out every time it is called (and is supposed to update the group buffer). However, the...

8. Shell Programming and Scripting

communication between shell and and a demon 'c' program

Hello, i have a demon 'c' program that have a dynamic table of logic registers ( 2000 variables ). exemple of registers: I1.34.5 M23.4.1 I want from shell acess to this table of registers. How can i do this? with something like for read I1.34.5: #cat...

LEARN ABOUT FREEBSD

ssh-copy-id

SSH-COPY-ID(1)						    BSD General Commands Manual 					    SSH-COPY-ID(1)

NAME

     ssh-copy-id -- copy public keys to a remote host

SYNOPSIS

     ssh-copy-id [-lv] [-i keyfile] [-o option] [-p port] [user@]hostname

DESCRIPTION

     The ssh-copy-id utility copies public keys to a remote host's ~/.ssh/authorized_keys file (creating the file and directory, if required).

     The following options are available:

     -i file
	     Copy the public key contained in file.  This option can be specified multiple times and can be combined with the -l option.  If a
	     private key is specified and a public key is found then the public key will be used.

     -l      Copy the keys currently held by ssh-agent(1).  This is the default if the -i option was not specified.

     -o ssh-option
	     Pass this option directly to ssh(1).  This option can be specified multiple times.

     -p port
	     Connect to the specified port on the remote host instead of the default.

     -v      Pass -v to ssh(1).

     The remaining arguments are a list of remote hosts to connect to, each one optionally qualified by a user name.

EXIT STATUS

     The ssh-copy-id utility exits 0 on success, and >0 if an error occurs.

EXAMPLES

     To send a specific key to multiple hosts:
	   $ ssh-copy-id -i /path/to/keyfile.pub user@host1 user@host2 user@host3

HISTORY

     The ssh-copy-id utility was written by Eitan Adler <eadler@FreeBSD.org> as a drop-in replacement for an existing utility included with
     OpenSSH.

BSD
								 February 28, 2014							       BSD