This might be useful for those wanting to do server administration functions (start/stop tomcat, reboot, stats, etc) out of an Xwiki doc (make sure your doc is password protected or more, if it allows people to reboot your server!; Anything needing root or tomcat user would use /etc/sudoers to grant specfic permissions to specific programs needed by user tomcat-ssh-slave):
Input: > ==== Use Groovy Script run server processes and display result ==== > See [[SshHelperClass?viewer=code]], [[ > http://blog.asyd.net/2008/12/xwiki-cest-decidemment-magique/]] > ==== Call parseGroovyFromPage("Groovy.SshHelperClass") ==== {{velocity}} #set( $sshHelper = $xwiki.parseGroovyFromPage("Groovy.SshHelperClass") ) $sshHelper.openSession("127.0.0.1", "22", "tomcat-ssh-slave", > "/usr/share/tomcat6/.ssh/id_dsa", "") {{/velocity}} > ==== Output from 'uname -a'==== ##{{velocity}}$sshHelper.runCommand("uname -a"){{/velocity}}## > ==== Output from 'free' ==== ##{{velocity}}$sshHelper.runCommand("free"){{/velocity}}## > ==== Output from 'ps -l U tomcat-ssh-slave U tomcat U apache' ==== ##{{velocity}}$sshHelper.runCommand("ps -l h U tomcat-ssh-slave U tomcat U > apache"){{/velocity}}## > ==== Output from 'df -H' ==== ##{{velocity}}$sshHelper.runCommand("df -H"){{/velocity}}## > ==== Output from 'top -b -n 1' ==== ##{{velocity}}$sshHelper.runCommand("top -b -n 1"){{/velocity}}## > ==== Close the connection and exit tomcat-ssh-slave shell ==== warning: if something breaks above, hopefully this will get called otherwise > we get a left-over sub-process tomcat-ssh-slave ##{{velocity}}$sshHelper.close(){{/velocity}}## Output: > Use Groovy Script run server processes and display result > > See SshHelperClass , >> http://blog.asyd.net/2008/12/xwiki-cest-decidemment-magique/ > > *Call parseGroovyFromPage("Groovy.SshHelperClass")* > > *Output from 'uname -a'* > > Linux ce 2.6.27.29-170.2.78.fc10.x86_64 #1 SMP Fri Jul 31 04:16:20 EDT >> 2009 x86_64 x86_64 x86_64 GNU/Linux > > *Output from 'free'* > > total used free shared buffers cached > > Mem: 1928992 1778932 150060 0 47272 532128 > > -/+ buffers/cache: 1199532 729460 > > Swap: 3866616 78776 3787840 > > *Output from 'ps -l U tomcat-ssh-slave U tomcat U apache'* > > 5 S 92 18792 18788 0 80 0 - 22060 select ? 0:00 sshd: >> tomcat-ssh-sl...@notty > > 0 R 92 18879 18792 1 80 0 - 22453 - ? 0:00 ps -l h U tomcatssh-slave U >> tomcat U apache > > 0 S 91 31695 1 0 80 0 - 463955 futex_ ? 7:47 /usr/java/default/bin/java >> -server -Xms160m -Xmx1024m -XX:PermSize=160m -XX:MaxPermSize=320m ... > > *Output from 'df -H'* > > Filesystem Size Used Avail Use% Mounted on > > /dev/mapper/VolGroup00-LogVol00 242G 26G 204G 12% / > > /dev/sda1 200M 15M 175M 8% /boot > > tmpfs 988M 353k 988M 1% /dev/shm > > *Output from 'top -b -n 1'* > > top - 11:17:20 up 2 days, 16:21, 3 users, load average: 0.78, 0.68, 0.56 > > Tasks: 150 total, 2 running, 148 sleeping, 0 stopped, 0 zombie > > Cpu(s): 7.7%us, 1.7%sy, 0.0%ni, 90.2%id, 0.3%wa, 0.1%hi, 0.1%si, 0.0%st > > Mem: 1928992k total, 1794420k used, 134572k free, 47304k buffers > > Swap: 3866616k total, 78776k used, 3787840k free, 532356k cached > > ... > > Special Installation Instructions To make this run (Fedora Linux): 1. sudo yum install trilead-ssh2 trilead-ssh2-javadoc 2. sudo ln -s /usr/share/java/trilead-ssh2-213.jar /usr/share/java/tomcat6/trilead-ssh2.jar 3. Make sure "tomcat" user exists in /etc/passwd, and create an additional uid=92 gid=92 account "tomcat-ssh-slave": • tomcat:x:91:91:Apache Tomcat:/usr/share/tomcat6:/bin/sh ° "tomcat" user created as "disabled" by installing tomcat6-6.0.18-6.2.fc10 • tomcat-ssh-slave:x:92:92:User for SSH Subprocesses From Tomcat:/home/tomcat-ssh-slave:/bin/bash ° create this using fedora admin utility 'system-config-users' or by hand-editing /etc/passwd... 4. sudo passwd -u tomcat • unlock tomcat account temporarily 5. sudo passwd tomcat • set password for tomcat account 6. Login to "tomcat" account using SSH from current account terminal. 7. ssh-keygen -t dsa • Leave "empty for no passphrase" for decrypting the DSA-key produced by ssh-keygen, although it can be specified as last parameter for sshHelper.openSession("localhost", "22", "tomcat-ssh-slave", "/usr/share/tomcat6/.ssh/id_dsa", ""). 8. From the "tomcat" account, run "ssh [email protected]" • answer Yes: "Are you sure you want to continue connecting (yes/no)? yes" • enter password for tomcat-ssh-slave set above via system-config-users. • exit the connection. • The purpose of this step is to test the account, and init /usr/share/tomcat6/.ssh/known_hosts 9. sudo cp /usr/share/tomcat6/.ssh/id_dsa.pub tomcat-ssh-slave/.ssh/authorized_keys 10. From the "tomcat" account, do "ssh [email protected]" again • verify that login happens w/o password prompt, which is what happens when authorized_keys is set to the public key of the account accessing SSH. • exit from tomcat-ssh-slave account. It's now ready to run out of tomcat. 11. passwd -l tomcat • lock the tomcat account from further logins, now that it's been setup and the dsa public/private keys have been generated. 1. *TODO:* remove password from user tomcat-ssh-slave ('!!' in passwd field of /etc/shadow) password not needed for login 2. *TODO:* alternately, is there a local customization to ensure certs only used for login to the account? I know this can be done globally in /etc/ssh/sshd_config: "PasswordAuthentication no" and "PermitEmptyPasswords no" 3. *TODO:* for user tomcat-ssh-slave, integrate "limited command processing" by replacing /bin/sh as login shell with /usr/local/bin/tomcat-ssh-shell (or equiv): #!/bin/sh -noprofile ############################################################################### # # File: sshslave-shell # RCS: $Header: $ # Description: Shell to allow execution of remote commands from a tomcat server. # For security purposes, this "login" is limited in commands it can # perform, and runs as a separate user from the tomcat server, separating # the ability to directly modify tomcat state from the functionality provided # by user tomcat-ssh-slave. This shell is run as the "login shell" (via # /etc/passwd) for account tomcat-ssh-slave, which is accessed via SSH. # The account is preferably a nonprivileged user account with pid>500, Home # directory /home/tomcat-ssh-slave must exist, with correct permisssions. # /home/tomcat-ssh-slave contains scripts referred to via fully qualified # filenames in this script. The directory would also store the accounts' # .ssh settings, keys, etc. Secure, password-less access to the tomcat-ssh-slave # account can be achieved by having tomcat's SSH public identity /usr/share/tomcat6/.ssh/id_dsa.pub # installed as /home/tomcat-ssh-slave/.ssh/authorized_keys (and keeping id_dsa secret) # This would prevent use of tomcat-ssh-slave "account" from being used by anything # other than preauthorized accounts. # # Here's some example commands: # # ssh -x [email protected] cleanlog # ssh -x [email protected] getlog # ssh -x [email protected] setdbglvl 'INFO' # ssh -x [email protected] getdbglvl # ssh -x [email protected] tomcat-restart # ssh -x [email protected] apache-restart # ssh -x [email protected] tomcat-start # ssh -x [email protected] apache-start # ssh -x [email protected] top # ssh -x [email protected] ps # ssh -x [email protected] df # ssh -x [email protected] free # ssh -x [email protected] reboot # Author: Niels P. Mayer # Created: Monday 8/10/2009 # Modified: # Language: Shell-script # Package: N/A # Status: Production # # (C) Copyright 2009, Niels Mayer, all rights reserved. # ############################################################################### # make sure nothing funny goes on PATH="/bin:/usr/bin" # make sure they rsh or ssh in with a single command if [ -z "$1" ] || [ "$1" != "-c" ] then echo You must use ssh -c to access this account exit 1 else shift SSHSLAVE_COMMAND="$@" fi # only let them run specific commands, eg. # ssh -x [email protected] cleanlog # ssh -x [email protected] getlog # ssh -x [email protected] setdbglvl 'INFO' # ssh -x [email protected] getdbglvl # ssh -x [email protected] tomcat-restart # ssh -x [email protected] apache-restart # ssh -x [email protected] tomcat-start # ssh -x [email protected] apache-start # ssh -x [email protected] top # ssh -x [email protected] ps # ssh -x [email protected] df # ssh -x [email protected] free # ssh -x [email protected] reboot case ${SSHSLAVE_COMMAND} in cleanlog \ getlog \ getdbglvl \ tomcat-restart \ apache-restart \ tomcat-start \ apache-start \ top \ ps \ df \ free \ reboot \ ) #single argument commands -- exact match to SSHSLAVE_COMMAND exec "/home/tomcat-ssh-slave/${SSHSLAVE_COMMAND}" ;; setdbglvl* \ #e.g., setdbglvl 'INFO' ... multiple argument command. Beware command injection. ) exec `echo "/home/tomcat-ssh-slave/${SSHSLAVE_COMMAND}" | cut -f1 -d" "` `echo "${SSHSLAVE_COMMAND}" | cut -f2- -d" "` ;; * ) exec echo You are not authorized to do that. ;; esac Niels http://nielsmayer.com _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
