Here are some hints and tips for those who are new to using ssh/OpenSSH for Linux system administration. Most of these tips have come from my recent work with a large number of Linux servers hosted on a VMware ESXi 4.x server farm.
Password authentication VS ssh key authentication
- If you are administering only a few systems on a closed network (i.e. accessible only locally or by a secure VPN connection), then password authentication is probably OK, but you should consider using ssh keys anyway.
- If your network needs to allow ssh access directly from the Internet or you are administering a large number of systems, then you should definitely use ssh keys.
Ssh-agent, scripting and cron
- ssh-agent can save you typing in the password to your ssh key every time you need it.
- This site gives a good overview of ssh-agent and includes some code you can add to your .bash_profile script to ensure your keys get added upon login.
- Although there are hack-ish ways to get ssh-agent and cron to work together, you are probably better off setting up special keys to use with scripts that must be called via cron. Just keep in mind that keys without passwords are a security risk.
- If you cannot risk using keys without passwords, consider running those cron scripts locally on each system. Utilize shared file space or e-mail to collect the results.
Bash one-liners and ssh with ssh keys
- I’ve become a fan of using bash “one-liner” scripts to keep abreast of server stats such as load averages, available patches and disk usage.
- Keep an up-to-date list of hosts in a file called hostlist.
- Run your one-liners while ssh-agent has your ssh keys cached.
- Here’s a template one-liner which checks uptime on each host listed in the file hostlist:
for e in `cat hostlist`; do echo $e; ssh $e "uptime"; done
- In the above example, you can replace uptime with just about any command which exists on the remote host.
- You can also synchronize some of the configurations under /etc with the above by utilizing either scp or rsync instead of ssh in that one-liner.
Turn your one-liners into scripts
- If you find yourself using the same one-liner over and over, it is time to save yourself some typing and turn it into a script.
- I like to keep these sorts of scripts under ~/bin. I also like to add that to my $PATH and create a simlink ~/scripts.
- Some one-liners are good candidates to be turned in to cron scripts. Just keep in mind the risks of using ssh keys without passwords, and include logic to detect conditions you want to monitor. For example, you can run /proc/loadavg through awk to isolate one of the three figures and send yourself an e-mail if that average is too high.
I didn’t take any notes during the meeting itself, so these are the high points as my memory serves:
The focus of this meeting was Security, and we didn’t stray too far off that core topic.
InfraGard is a partnership between the Federal Bureau of Investigation and the private sector.
Some of the interesting security tools or concepts discussed at this meeting:
- netcat is literally THE Swiss Army Knife of IP tools.
- port knocking and webknocking involves sending patterns of traffic to a server to trigger it opening ports and services to your IP address.
- MetaSploit Framework automates the exploitation of the latest vulnerabilities.
After the meeting, a large group of us walked over to Raccoon River Brewery for dinner, drinks and discussion.
This meeting’s theme: Programming
Eclipse IDE presented by Dan Juliano
- UI layer runs on top of SWT libraries, so it should be more responsive.
- Engineered differently than most other IDEs
- Fairly memory-intensive. Just launched, it took 135 MB of RAM on Dan’s demo system (an Intel Mac).
- IBM has put a lot of support behind this project.
- Primarily supports Java development, but there are versions and plugins for other languages.
- Aptana http://www.aptana.com is an online web dev environment that fits nicely with Eclipse.
- Good code validation plugin which will validate various languages.
- Standard IDE stuff like syntax highlighting.
- Has a large undo feature that remembers every change made since you started the session and can revert to any point. That causes a lot of the memory usage.
Several random discussions took place at this point in the meeting.
Hudson (https://hudson.dev.java.net/) presented by Dan Juliano
- Billed as an “Extensible continuous integration engine”
- Tons of plugins.
- Dan exploring using this for automated scheduled jobs as a replacement for doing the same with cron.
Several members of the group adjourned to Hessen Haus for food and beverages.
Even when I get a back log of podcasts and have to decide which ones to delete, every episode of this podcast stays in the queue.
Dan and Fab have a solid format wherein they cover new releases of Open Source software (mostly Linux distros), recent tech news headlines (including Microwatch), in depth Linux distro reviews and listener feedback (with Dan’s hilarious attempts at various accents from around the world).
Dan and Fab have a great rapport which makes every episode a fun listen that is also full of good content. If you want to keep on top of what’s going on with Linux and Open Source software, download a couple of episodes and give Linux Outlaws a try.
Well, my demo of the Linux Gamers Live DVD didn’t go so well. My crappy old computer did not perform very well, so we ended up borrowing someone’s laptop to perform the demo. Wasn’t too exciting. I just brought up each game on the disk and played them for a bit. We also discussed some other Linux-friendly gaming.
After that FAIL, I needed some success. I finally got some relief with the ReciPants database issue. The problem seems to be with my method for transferring the database from the old server to the new. Here’s a brief synopsis of what I did to get it to work:
Migrated from the old server (with MySQL 3.23) to a virtual machine running CentOS 3 (also with MySQL 3.23).
On the old server:
- Exported the database with the following command (no extra options used, my mistake was exporting with —opt and/or —add-drop-tables):
mysqldump -u root -p ReciPants > ReciPants-database.sql
On the “new” server:
- Set up ReciPants v1.2 on the new server, per the Web site instructions — including running the SQL scripts tables-mysql.sql and ref_data.sql.
- Once I confirmed that worked OK, restored the data from the old
server with the following command (the -f is necessary, as there is a
non-critical error early on that will halt the process):
mysql -u root -p -f ReciPants < ReciPants-database.sql
Again, I need to test the above method on MySQL 5.x, but I believe it will work just fine.
At the Central Iowa Linux User’s Group meeting this Wednesday (10/15), the theme is “Linux Gaming.” I intend to demo the Linux Gamers Live DVD on an older AMD 2 GHz box I have.
The problem with that? I need a better video card, more RAM and to download the bootable iso! The on-board SIS video sucks for gaming, the system has only 512 MB of RAM installed, and I deleted my copy of the iso file a couple of weeks ago, thinking I wouldn’t need it. . .
I managed to purchase an ATI Radeon X1550 this afternoon, so that’s one thing off the list. I’m downloading the 3+ GB iso image as I type this. The only thing left is the RAM. I went to two local computer shops today and neither had the RAM I need (either PC2100, PC2700 or PC3200). I’ve got one more local shop to check tomorrow.
Wish me luck.