8/8/2014 SSH! Keep it secret. Keep it safe Using Secure Shell to Help Manage Multiple Servers Don Prezioso Ashland University Why use SSH? • • • • • Proliferation of servers Physical servers now Virtual / Hosted System management without console Inter-server processes and file transfers Less worry about passwords What is SSH? • • • • • Secure Shell (encrypted connections) Replaces telnet (ssh) Secure copy (scp) Secure file transfers (sftp) Public/Private key pairs for encryption – No passwords needed! 1 8/8/2014 Server Software for Linux OpenSSH Free ssh for unix based systems Red Hat Packages: openssh-4.3p2-82.el5 - Core SSH components used by both client and server openssh-askpass-4.3p2-82.el5 - Passphrase dialog for X11 openssh-clients-4.3p2-82.el5 - SSH Client components (ssh, scp, sftp, etc...) openssh-server-4.3p2-82.el5 - SSH Server components (sshd) /etc/ssh/sshd_config: UsePAM yes Subsystem sftp /usr/libexec/openssh/sftp-server AllowGroups sys adm ftpusers staff Server Software for Windows freeSSHd See www.freeSSHd.com to download installation package Edit C:\Program Files\freeSSHd\FreeSSHDService.ini: [SSH server] SSHPublickeyPath=C:\Program Files\freeSSHd\Authorized_Keys [Users] UserCount=2 [User0] Name=datatel Auth=2 Password=000000000000000000000000000000000000000000 Domain= Shell=1 SFTP=1 Tunnel=0 [User1] Name=dprez Auth=0 Password=000000000000000000000000000000000000000000 Domain=AD Shell=0 SFTP=1 Tunnel=0 Clients for Linux • Included in OpenSSH: – ssh – Secure Shell client • telnet replacement • remote command execution – scp – Secure Copy – Copy files between systems – sftp – Secure FTP client • /etc/ssh/ssh_config changes: Host * ConnectTimeout 120 StrictHostKeyChecking no 2 8/8/2014 rsync! • Not part of OpenSSH • Does not require ssh, but will use it • Synchronize entire directory trees between multiple servers • Delta-transfer algorithm dramatically reduces the data sent over the network • Not just a client... Clients for Windows http://www.chiark.greenend.org.uk/~sgtatham/putty/ • PuTTY – Terminal emulation – Saved profiles – Command line options for shortcuts • PuTTYgen – Utility to create key pairs • Plink – Remote command execution (CGI) • PSCP and PSFTP – Command mode file transfer Clients for Windows http://winscp.net • WinSCP – Graphical file transfer utility – ‘Live’ editing of remote files! 3 8/8/2014 Public / Private Key Pairs • Generated automatically if needed – Password needed for authentication – Some clients will allow saving passwords (not secure!) • May be created and exchanged ahead of time – No password needed • Public key – Not secret (May be e-mailed or published) • Private Key – Keep it secret – Keep it safe! Generating Keys on unix • ssh-keygen (OpenSSH) command: ssh-keygen -C datatel@datatel.ashland.edu – Defaults: • 2048 bit RSA type keys • ~/.ssh/id_rsa (private key) • ~/.ssh/id_rsa.pub (public key) – I don’t use passphrase normally – Comment – just for your identification – .ssh directory is private – don’t change Generating Keys on Windows • PuTTYgen – Click ‘Generate’ – Move mouse – Save private key – Copy public key and paste in authorized_keys file – Load private key file to see public key 4 8/8/2014 Where to put Public Keys • On the system you will connect to – Unix: ~/.ssh/authorized_keys – Windows: C:\Program Files\freeSSHd\Authorized_Keys\username – Each key is one (long) line of text: ssh‐rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuMqLt5t+lF1W3oz7WtSBQX8zaBFHrD0vG 4B4yyHBC9gLid44Mr3CFwiDAK8YZTtLzqWHHZdjMv90kZ3AKC8O6m+VQbS42Q6jCPN18 kHPKPLt+cJ1rHWYY1IwbEnHTAnIxUW3AMw6FgpjYJgcipJjIBzauk1S5IHUl5agG+AJv MHa6wsePKJn3jkl3py1kPLz67DitboXvErCVtxBEwFeGzYFTP23MXE6Uwj7I5m0OH5m9 o9TeTFuEF9OvwFMr/qsksaHoGQ3Gjo9mVUumpdTLZzKjVhTdsQ3XelWALj/onFlneHZP ej0TK0JevJ3Ms3c2xl9BmluP5aS72sw7jk4Rw== datatel@datatel.ashland.edu – Paste key using any text editor Using the Private Key • Unix – Automatic! • PuTTY – Command line (-i path) – Saved Session • Connection>SSH>Auth Using the Private Key • WinSCP – Command Line (/privatekey path) – Advanced Site Settings • SSH>Authentication 5 8/8/2014 Logging in as root! • No need to give out root password • Each user generates their own key pair • If they leave – just remove their public key (don’t need to change the password!) • Treat other servers as additional ‘users’ Importing Bookstore Charges (GLIM) # RemoteHost="TAO700673@taonlinesys.mbsbooks.com" RemotePath="FromMBS" # ImportPath="/datatel/coll18/production/apphome/DATA/DATA_G/GL.INTERFACES" DropPath="/home/mbsftp" DropFile="bks*.TXT" # # Get files from the remote server # /usr/bin/scp $RemoteHost:$RemotePath/$DropFile "$DropPath/" >> $logfile 2>&1 # # Now that we have them local, delete them from the remote server # for filepath in $DropPath/$DropFile ; do filename=$(basename $filepath) RemoteCommand="rm -f $RemotePath/$filename" ssh $RemoteHost "$RemoteCommand" >> $logfile 2>&1 done # Restarting Tomcat (WebAdvisor) #!/bin/bash if [[ $( /bin/hostname ) = "datatel.ashland.edu" ]] ; then /usr/bin/ssh root@webadvisor.ashland.edu service tomcat restart fi • Part of Colleague system boot process • Run as ‘root’ so no need to default key pair is used • No password in script 6 8/8/2014 Locking UI • Users start UI with: https://ui.ashland.edu – Normal web.config file redirects to: https://ui.ashland.edu:8183/Colleague/launch.htm – Script gets a copy of web.config file using sftp – Script creates a new web.config that redirects to: http://ui.ashland.edu/OOS.htm – Script transfers new web.config to the web server using sftp • Users who know the real URL can still use UI • Unlock just does the reverse Locking WebAdvisor • Similar to locking UI – No files are transferred between systems – Script uses ssh to copy files on the web server • Users who know the whole URL can still run • Doesn’t lock portal access to WebAdvisor • Works in combination with stopping listener – Better message ☺ File Transfers in UniData • X.SFTP.SEND – UniBasic program any user can run – Builds a temporary script for input to sftp – Copies ‘datatel’ private key and sets permissions – Runs sftp with –b option to process the temporary script and use private key copy – Deletes copy of private key X.SFTP.SEND _HOLD_ XEI_Datatel_Membership_S.csv Ashland_XEI fts.angellearning.com 7 8/8/2014 File Transfers in Envision Basic (Studio) • S.EXECUTE.SFTP (Ellucian provided) SFTP.GET.FILE: * Get path to _HOLD_ X.HOLD.PATH = "_HOLD_" X.PATH.ERROR = "" X.PATH.MSG = "" CALL S.GET.ABS.PATH(X.HOLD.PATH, X.PATH.ERROR, X.PATH.MSG) * * Call SFTP to transfer the file X.SCH.IMPORTS.FILE.NAME = "export.csv“ X.SFTP.ERROR = "" XL.SFTP.RESULT = "" X.SFTP.CONFIG = "SCHI" X.SFTP.ACTION = "get" CALL S.EXECUTE.SFTP(X.SFTP.ERROR, XL.SFTP.RESULT, X.SFTP.CONFIG, X.SFTP.ACTION, X.SCH.IMPORTS.FILE.NAME, X.HOLD.PATH) RETURN Envision SFTP Configuration • SFTP screen: Conclusion • Easy connection to multiple servers • Automation of system management tasks • Fewer passwords • Questions? Don Prezioso dprez@ashland.edu 419-289-5077 8
© Copyright 2024