Updating clients from the SSH master

This will update one or more client hosts remotely from the SSH master

Requirements

  • A working SSH login for the sshadmin user for each of the client hosts you wish to update (chicken-and-the-egg!)
  • A running SSH agent that will propagate sshadmin’s private key to each of the client hosts upon remote access/control (so that you do not have to enter the passphrase at each connection!)
  • SUDO rules for the SSH Controls must be pre-configured on each of the client hosts you wish to update (run as root)

Step 1: Distribute/copy the latest configuration (mappings + key files) to the client systems

What does it do? Syncs all configuration, scripts & public key files from the SSH master to client systems into the /etc/ssh_controls/holding directory (via SFTP)

How to do it? Logon the SSH master server and become sshadmin.

Choice 1: execute a global distribution

(=all client systems configured in the targets files):

[master]$ /etc/ssh_master/manage_ssh.sh --copy

Distribution to multiple client systems will be done in parallel (background). Be aware that this will cause log messages to be multiplexed (out-of-sync).

INFO: *** start of manage_ssh.sh [--copy] ***
INFO: logging takes places in /var/log/manage_ssh.sh.log
INFO: runtime info: LOCAL_DIR is set to: /etc/master
INFO: ACTION: copy/distribute SSH controls
INFO: copying/distributing to host1 in background [PID=17379] ...
INFO: copying/distributing to host2 in background [PID=17385] ...
INFO: copying/distributing to host3 in background [PID=17391] ...
INFO: copying/distributing to host4 in background [PID=17397] ...
INFO: transferred /etc/master/access to host1:/etc/ssh_controls/holding
INFO: transferred /etc/master/access to host2:/etc/ssh_controls/holding
INFO: transferred /etc/master/access to host3:/etc/ssh_controls/holding
INFO: transferred /etc/master/access to host4:/etc/ssh_controls/holding
INFO: transferred /etc/master/alias to host2:/etc/ssh_controls/holding
INFO: transferred /etc/master/alias to host3:/etc/ssh_controls/holding
INFO: transferred /etc/master/alias to host1:/etc/ssh_controls/holding
INFO: transferred /etc/master/alias to host4:/etc/ssh_controls/holding
INFO: transferred /etc/master/update_ssh.pl to host2:/etc/ssh_controls/holding
INFO: transferred /etc/master/update_ssh.pl to host3:/etc/ssh_controls/holding
INFO: transferred /etc/master/update_ssh.pl to host1:/etc/ssh_controls/holding
INFO: transferred /etc/master/update_ssh.pl to host4:/etc/ssh_controls/holding
<snip>

Output has been truncated for convenience.

Choice 2: execute a limited distribution

By using the --targets command-line parameter with a comma-separated list of hostnames:

[master]$ /etc/ssh_master/manage_ssh.sh --copy --targets=host1,host2

INFO: *** start of manage_ssh.sh [--copy --targets=host1,host2] ***
INFO: logging takes places in /var/log/manage_ssh.sh.log
INFO: runtime info: LOCAL_DIR is set to: /etc/ssh_master
INFO: ACTION: copy/distribute SSH controls
INFO: copying/distributing to host1 in background [PID=5346] ...
INFO: copying/distributing to host2 in background [PID=5352] ...
INFO: transferred /etc/ssh_master/access to host1:/etc/ssh_controls/holding
INFO: transferred /etc/ssh_master/access to host2:/etc/ssh_controls/holding
INFO: transferred /etc/ssh_master/alias to host1:/etc/ssh_controls/holding
INFO: transferred /etc/ssh_master/alias to host2:/etc/ssh_controls/holding
INFO: transferred /etc/ssh_master/update_ssh.pl to host1:/etc/ssh_controls/holding
INFO: transferred /etc/ssh_master/update_ssh.pl to host2:/etc/ssh_controls/holding
INFO: transferred /etc/ssh_master/update_ssh.conf to host1:/etc/ssh_controls/holding
INFO: transferred /etc/ssh_master/update_ssh.conf to host2:/etc/ssh_controls/holding
INFO: transferred ./manage_ssh.sh to host1:/etc/ssh_controls/holding
INFO: keys are stored in a DIRECTORY, first merging all keys into /var/tmp/distribute2host.18125/keys
INFO: transferred ./manage_ssh.sh to host2:/etc/ssh_controls/holding
INFO: keys are stored in a DIRECTORY, first merging all keys into /var/tmp/distribute2host.21737/keys
INFO: transferred /var/tmp/distribute2host.18125/keys to host1:/etc/ssh_controls/holding
INFO: transferred /var/tmp/distribute2host.21737/keys to host2:/etc/ssh_controls/holding
INFO: child process 5346 exited [RC=0]
INFO: child process 5352 exited [RC=0]
INFO: finished copying/distributing SSH controls
INFO: performing cleanup ...
INFO: *** finish of manage_ssh.sh [--copy --targets=host1,host2] ***

Step 2: Updating the authorized keys on the client systems

What does it do? Runs the update_ssh.pl script remotely and updates the SSH public keys in /etc/ssh_controls/keys.d on each client host.

How to do it?: Logon the SSH master server and become sshadmin

Choice 1: execute a global update

(=all client systems configured in the targets files):

[master]$ /etc/ssh_master/manage_ssh.sh --apply

Distribution to multiple client systems will be done in parallel (background). Beware that this will cause log messages to be multiplexed (out-of-sync).

INFO: *** start of manage_ssh.sh [--apply] ***
INFO: logging takes places in /var/log/manage_ssh.sh.log
INFO: runtime info: LOCAL_DIR is set to: /etc/ssh_master
INFO: ACTION: apply SSH controls remotely
INFO: updating host1 in background [PID=8097] ...
INFO: updating host2 in background [PID=8103] ...
INFO: updating host3 in background [PID=8109] ...
INFO: updating host4 in background [PID=8116] ...
INFO: setting ssh controls on host3 ...
INFO: setting ssh controls on host2 ...
INFO: setting ssh controls on host4 ...
INFO: setting ssh controls on host1 ...
INFO: *** start of manage_ssh.sh [--update] ***
WARN: no keys blacklist file found [host1]
INFO: logging takes places in /var/log/manage_ssh.sh.log
INFO: runtime info: LOCAL_DIR is set to: /etc/ssh_controls/holding
INFO: ACTION: apply SSH controls locally
INFO: runtime info: root; host1@/etc/ssh_controls/holding; Perl v5.010001
INFO: parsing configuration file(s) ...
INFO: checking for SSH control mode ...
INFO: host is under SSH control via /etc/ssh_controls/keys.d
INFO: checking for keys blacklist file ...
INFO: reading user accounts from /etc/passwd ...
INFO: 79 user accounts found on host1
INFO: reading 'alias' file ...
INFO: 112 aliases found on host1
INFO: reading 'keys' file(s) ...
INFO: local 'keys' are stored in a FILE on host1
INFO: reading public keys from file: /etc/ssh_controls/holding/keys
INFO: 117 public key(s) found on host1
INFO: reading 'access' file ...
INFO: 22 accounts with applicable access rules found on host1
INFO: applying SSH access rules ....
INFO: runtime info: OS major version 6, SELinux context ssh_home_t on host1
INFO: granting access to johndoe for John_Doe on host1
INFO: granting access to janedoe for Jane_Doe on host1
INFO: denying access (no key) to foobar for Foobar on host1
INFO: granting access to root for John_Doe on host1
INFO: checking for extraneous access files ....
INFO: 0 extraneous access file(s) found on host1
INFO: finished applying SSH controls locally
INFO: performing cleanup ...
INFO: *** finish of manage_ssh.sh [--update] ***
<snip>

Output has been truncated for convenience.

Choice 2: execute a limited distribution

using the --targets command-line parameter (comma-separated list):

[master]$ /etc/ssh_master/manage_ssh.sh --apply --targets=host1,host2

INFO: *** start of manage_ssh.sh [--apply --targets=host1,host2] ***
INFO: logging takes places in /var/log/manage_ssh.sh.log
INFO: runtime info: LOCAL_DIR is set to: /etc/ssh_master
INFO: ACTION: apply SSH controls remotely
INFO: updating host1 in background [PID=23859] ...
INFO: updating host2 in background [PID=23864] ...
INFO: setting ssh controls on host2 ...
INFO: setting ssh controls on host1 ...
WARN: no keys blacklist file found [host2]
WARN: no keys blacklist file found [host1]
INFO: *** start of manage_ssh.sh [--update] ***
INFO: logging takes places in /var/log/manage_ssh.sh.log
INFO: runtime info: LOCAL_DIR is set to: /etc/ssh_controls/holding
INFO: ACTION: apply SSH controls locally
INFO: runtime info: root; host2@/etc/ssh_controls/holding; Perl v5.010001
INFO: parsing configuration file(s) ...
INFO: checking for SSH control mode ...
INFO: host is under SSH control via /etc/ssh_controls/keys.d
INFO: checking for keys blacklist file ...
INFO: reading user accounts from /etc/passwd ...
INFO: 45 user accounts found on host2
INFO: reading 'alias' file ...
INFO: 112 aliases found on host2
INFO: reading 'keys' file(s) ...
INFO: local 'keys' are stored in a FILE on host2
INFO: reading public keys from file: /etc/ssh_controls/holding/keys
INFO: 117 public key(s) found on host2
INFO: reading 'access' file ...
INFO: 22 accounts with applicable access rules found on host2
INFO: applying SSH access rules ....
INFO: runtime info: OS major version 6, SELinux context ssh_home_t on host2
INFO: denying access (no key) to foobar for Foobar on host2
INFO: granting access to johndoe for John_Doe on host2
INFO: granting access to janedoe for Jane_Doe on host2
INFO: checking for extraneous access files ....
INFO: 0 extraneous access file(s) found on host2
INFO: finished applying SSH controls locally
INFO: performing cleanup ...
INFO: finished applying SSH controls remotely
INFO: performing cleanup ...
INFO: *** finish of manage_ssh.sh [--apply --targets=host1,host2] ***
<snip>

Updating clients locally

This will update a single client host from its own local repository.

Requirements

  • A working SSH logon for the sshadmin user for each of the client hosts you wish to update (chicken-and-the-egg!)
  • SUDO rules for the SSH Controls must be pre-configured on each of the client hosts you wish to update -OR- full root access locally.

Procedure

When refreshing the SSH public keys locally on a client you can only use the current locally available configuration data from the /etc/ssh_controls/holding directory.

  1. **Login **to the client host and become sshadmin
  2. Execute the local update (as non-root user), e.g.:
[client]$ sudo /etc/ssh_controls/holding/manage_ssh.sh --update

-OR-

Execute the local update directly using the Perl script:

[client]$ sudo /etc/ssh_controls/holding/update_ssh.pl --verbose --remove

Output of both commands is to similar to those of remote updates (see above).

Updated:

Leave a comment