Updating clients from the SSH master
This will update one or more client hosts remotely from the SSH master
Requirements
- A working SSH login for the
sshadminuser for each of the client hosts you wish to update (chicken-and-the-egg!) - A running SSH agent that will propagate
sshadmin’s private key to each of the client hosts upon remote access/control (so that you do not have to enter the passphrase at each connection!) - SUDO rules for the SSH Controls must be pre-configured on each of the client hosts you wish to update (run as root)
Step 1: Distribute/copy the latest configuration (mappings + key files) to the client systems
What does it do?
Syncs all configuration, scripts & public key files from the SSH master to client systems into the /etc/ssh_controls/holding directory (via SFTP)
How to do it?
Logon the SSH master server and become sshadmin.
Choice 1: execute a global distribution
(=all client systems configured in the targets files):
[master]$ /etc/ssh_master/manage_ssh.sh --copyDistribution to multiple client systems will be done in parallel (background). Be aware that this will cause log messages to be multiplexed (out-of-sync).
INFO: *** start of manage_ssh.sh [--copy] ***
INFO: logging takes places in /var/log/manage_ssh.sh.log
INFO: runtime info: LOCAL_DIR is set to: /etc/master
INFO: ACTION: copy/distribute SSH controls
INFO: copying/distributing to host1 in background [PID=17379] ...
INFO: copying/distributing to host2 in background [PID=17385] ...
INFO: copying/distributing to host3 in background [PID=17391] ...
INFO: copying/distributing to host4 in background [PID=17397] ...
INFO: transferred /etc/master/access to host1:/etc/ssh_controls/holding
INFO: transferred /etc/master/access to host2:/etc/ssh_controls/holding
INFO: transferred /etc/master/access to host3:/etc/ssh_controls/holding
INFO: transferred /etc/master/access to host4:/etc/ssh_controls/holding
INFO: transferred /etc/master/alias to host2:/etc/ssh_controls/holding
INFO: transferred /etc/master/alias to host3:/etc/ssh_controls/holding
INFO: transferred /etc/master/alias to host1:/etc/ssh_controls/holding
INFO: transferred /etc/master/alias to host4:/etc/ssh_controls/holding
INFO: transferred /etc/master/update_ssh.pl to host2:/etc/ssh_controls/holding
INFO: transferred /etc/master/update_ssh.pl to host3:/etc/ssh_controls/holding
INFO: transferred /etc/master/update_ssh.pl to host1:/etc/ssh_controls/holding
INFO: transferred /etc/master/update_ssh.pl to host4:/etc/ssh_controls/holding
<snip>Output has been truncated for convenience.
Choice 2: execute a limited distribution
By using the --targets command-line parameter with a comma-separated list of hostnames:
[master]$ /etc/ssh_master/manage_ssh.sh --copy --targets=host1,host2
INFO: *** start of manage_ssh.sh [--copy --targets=host1,host2] ***
INFO: logging takes places in /var/log/manage_ssh.sh.log
INFO: runtime info: LOCAL_DIR is set to: /etc/ssh_master
INFO: ACTION: copy/distribute SSH controls
INFO: copying/distributing to host1 in background [PID=5346] ...
INFO: copying/distributing to host2 in background [PID=5352] ...
INFO: transferred /etc/ssh_master/access to host1:/etc/ssh_controls/holding
INFO: transferred /etc/ssh_master/access to host2:/etc/ssh_controls/holding
INFO: transferred /etc/ssh_master/alias to host1:/etc/ssh_controls/holding
INFO: transferred /etc/ssh_master/alias to host2:/etc/ssh_controls/holding
INFO: transferred /etc/ssh_master/update_ssh.pl to host1:/etc/ssh_controls/holding
INFO: transferred /etc/ssh_master/update_ssh.pl to host2:/etc/ssh_controls/holding
INFO: transferred /etc/ssh_master/update_ssh.conf to host1:/etc/ssh_controls/holding
INFO: transferred /etc/ssh_master/update_ssh.conf to host2:/etc/ssh_controls/holding
INFO: transferred ./manage_ssh.sh to host1:/etc/ssh_controls/holding
INFO: keys are stored in a DIRECTORY, first merging all keys into /var/tmp/distribute2host.18125/keys
INFO: transferred ./manage_ssh.sh to host2:/etc/ssh_controls/holding
INFO: keys are stored in a DIRECTORY, first merging all keys into /var/tmp/distribute2host.21737/keys
INFO: transferred /var/tmp/distribute2host.18125/keys to host1:/etc/ssh_controls/holding
INFO: transferred /var/tmp/distribute2host.21737/keys to host2:/etc/ssh_controls/holding
INFO: child process 5346 exited [RC=0]
INFO: child process 5352 exited [RC=0]
INFO: finished copying/distributing SSH controls
INFO: performing cleanup ...
INFO: *** finish of manage_ssh.sh [--copy --targets=host1,host2] ***Step 2: Updating the authorized keys on the client systems
What does it do?
Runs the update_ssh.pl script remotely and updates the SSH public keys in /etc/ssh_controls/keys.d on each client host.
How to do it?:
Logon the SSH master server and become sshadmin
Choice 1: execute a global update
(=all client systems configured in the targets files):
[master]$ /etc/ssh_master/manage_ssh.sh --applyDistribution to multiple client systems will be done in parallel (background). Beware that this will cause log messages to be multiplexed (out-of-sync).
INFO: *** start of manage_ssh.sh [--apply] ***
INFO: logging takes places in /var/log/manage_ssh.sh.log
INFO: runtime info: LOCAL_DIR is set to: /etc/ssh_master
INFO: ACTION: apply SSH controls remotely
INFO: updating host1 in background [PID=8097] ...
INFO: updating host2 in background [PID=8103] ...
INFO: updating host3 in background [PID=8109] ...
INFO: updating host4 in background [PID=8116] ...
INFO: setting ssh controls on host3 ...
INFO: setting ssh controls on host2 ...
INFO: setting ssh controls on host4 ...
INFO: setting ssh controls on host1 ...
INFO: *** start of manage_ssh.sh [--update] ***
WARN: no keys blacklist file found [host1]
INFO: logging takes places in /var/log/manage_ssh.sh.log
INFO: runtime info: LOCAL_DIR is set to: /etc/ssh_controls/holding
INFO: ACTION: apply SSH controls locally
INFO: runtime info: root; host1@/etc/ssh_controls/holding; Perl v5.010001
INFO: parsing configuration file(s) ...
INFO: checking for SSH control mode ...
INFO: host is under SSH control via /etc/ssh_controls/keys.d
INFO: checking for keys blacklist file ...
INFO: reading user accounts from /etc/passwd ...
INFO: 79 user accounts found on host1
INFO: reading 'alias' file ...
INFO: 112 aliases found on host1
INFO: reading 'keys' file(s) ...
INFO: local 'keys' are stored in a FILE on host1
INFO: reading public keys from file: /etc/ssh_controls/holding/keys
INFO: 117 public key(s) found on host1
INFO: reading 'access' file ...
INFO: 22 accounts with applicable access rules found on host1
INFO: applying SSH access rules ....
INFO: runtime info: OS major version 6, SELinux context ssh_home_t on host1
INFO: granting access to johndoe for John_Doe on host1
INFO: granting access to janedoe for Jane_Doe on host1
INFO: denying access (no key) to foobar for Foobar on host1
INFO: granting access to root for John_Doe on host1
INFO: checking for extraneous access files ....
INFO: 0 extraneous access file(s) found on host1
INFO: finished applying SSH controls locally
INFO: performing cleanup ...
INFO: *** finish of manage_ssh.sh [--update] ***
<snip>Output has been truncated for convenience.
Choice 2: execute a limited distribution
using the --targets command-line parameter (comma-separated list):
[master]$ /etc/ssh_master/manage_ssh.sh --apply --targets=host1,host2
INFO: *** start of manage_ssh.sh [--apply --targets=host1,host2] ***
INFO: logging takes places in /var/log/manage_ssh.sh.log
INFO: runtime info: LOCAL_DIR is set to: /etc/ssh_master
INFO: ACTION: apply SSH controls remotely
INFO: updating host1 in background [PID=23859] ...
INFO: updating host2 in background [PID=23864] ...
INFO: setting ssh controls on host2 ...
INFO: setting ssh controls on host1 ...
WARN: no keys blacklist file found [host2]
WARN: no keys blacklist file found [host1]
INFO: *** start of manage_ssh.sh [--update] ***
INFO: logging takes places in /var/log/manage_ssh.sh.log
INFO: runtime info: LOCAL_DIR is set to: /etc/ssh_controls/holding
INFO: ACTION: apply SSH controls locally
INFO: runtime info: root; host2@/etc/ssh_controls/holding; Perl v5.010001
INFO: parsing configuration file(s) ...
INFO: checking for SSH control mode ...
INFO: host is under SSH control via /etc/ssh_controls/keys.d
INFO: checking for keys blacklist file ...
INFO: reading user accounts from /etc/passwd ...
INFO: 45 user accounts found on host2
INFO: reading 'alias' file ...
INFO: 112 aliases found on host2
INFO: reading 'keys' file(s) ...
INFO: local 'keys' are stored in a FILE on host2
INFO: reading public keys from file: /etc/ssh_controls/holding/keys
INFO: 117 public key(s) found on host2
INFO: reading 'access' file ...
INFO: 22 accounts with applicable access rules found on host2
INFO: applying SSH access rules ....
INFO: runtime info: OS major version 6, SELinux context ssh_home_t on host2
INFO: denying access (no key) to foobar for Foobar on host2
INFO: granting access to johndoe for John_Doe on host2
INFO: granting access to janedoe for Jane_Doe on host2
INFO: checking for extraneous access files ....
INFO: 0 extraneous access file(s) found on host2
INFO: finished applying SSH controls locally
INFO: performing cleanup ...
INFO: finished applying SSH controls remotely
INFO: performing cleanup ...
INFO: *** finish of manage_ssh.sh [--apply --targets=host1,host2] ***
<snip>Updating clients locally
This will update a single client host from its own local repository.
Requirements
- A working SSH logon for the
sshadminuser for each of the client hosts you wish to update (chicken-and-the-egg!) - SUDO rules for the SSH Controls must be pre-configured on each of the client hosts you wish to update -OR- full root access locally.
Procedure
When refreshing the SSH public keys locally on a client you can only use the current locally available configuration data from the /etc/ssh_controls/holding directory.
- **Login **to the client host and become
sshadmin - Execute the local update (as non-root user), e.g.:
[client]$ sudo /etc/ssh_controls/holding/manage_ssh.sh --update-OR-
Execute the local update directly using the Perl script:
[client]$ sudo /etc/ssh_controls/holding/update_ssh.pl --verbose --removeOutput of both commands is to similar to those of remote updates (see above).
Leave a comment