On Mon, Oct 30, 2006 at 12:38:59AM -0500, Eric Furman wrote:
| On Sun, 29 Oct 2006 23:12:49 +0100 (CET), "Otto Moerbeek"
| <[EMAIL PROTECTED]> said:
| > > but as has been pointed out, it is trivial to write a script
| > > that would automatically go out and modify /etc/group
| > > on even a large number of boxes.
| > >
| > > This is rough, needs polishing, use at own risk, blah blah...
| > >
| > > BOXES="server1 server 2 server3. . ."
| > >
| > > for box in $BOXES
| > > do
| > > { sleep 5;echo "username";sleep 2;echo "password";sleep 2;
| > > echo"sudo do some command left as exercise for reader";
| > > sleep 3;echo "exit"; } |telnet $box 2>>/tmp/rcmd.error 1>/dev/null
| > > done
| >
| > You got to be kidding. This is the worst script I've seen in ages.
|
| I only offered this because the OP seemed to indicate that he had
| a large number of machines and it would be inconvenient to make
| the change to /etc/group on all of them. If you administer several
| dozen to more than a hundred machines it is quite inconvenient to
| do this. If there is a better way of doing this I would be quite
| interested in hearing about it. Please do not point out the security
| implications of this. It has already been greatly considered. It
| should be clearly obvious how this can be made safe. And no, I
| haven't used telnet in nearly ten years, but I and all my users
| always type "telnet" at the command line. It's familiar.
| I offered help. You offered nothing but useless noise.
You offered no such thing, I'm afraid. If you haven't used telnet for
nearly ten years[1], why do you still type it at the command line ?
Don't pipe sleep and echo's (esp. passwords) to telnet. Not a good
plan. This is horribly insecure in multiple ways. Even if you had
greatly considered these, you should have indicated as much. People
not as experienced as you may read your example and take it for a good
solution, security-wise.
BOXES="your set of machines"
ID="the username you want to have run the script"
CMD="some command left as exercise for reader"
for box in ${BOXES}
do
ssh [EMAIL PROTECTED] ${CMD}
done
Don't forget to set up proper keys for authenticating and using an
ssh-agent on the machine you're doing this from. This still may not be
the best way to handle many machines (as in, 1000s) as the
serialisation will make your machines be out of sync for quite a long
time. If ${CMD} is overly complex, consider putting everything in a
script, and add an `scp ${script} [EMAIL PROTECTED]:/tmp/` before the
ssh-line and change that line to `ssh [EMAIL PROTECTED] sh /tmp/${script}`
Please don't offer bad help. Better to offer nothing at all.
Paul 'WEiRD' de Weerd
[1]: I still use telnet on a daily basis, I just don't use telnetd.
--
>++++++++[<++++++++++>-]<+++++++.>+++[<------>-]<.>+++[<+
+++++++++++>-]<.>++[<------------>-]<+.--------------.[-]
http://www.weirdnet.nl/
[demime 1.01d removed an attachment of type application/pgp-signature]
