Re: [systemd-devel] systemd services via SSH (-H key)

[Lennart Poettering]

On Sat, 24.10.15 15:57, Reindl Harald (h.rei...@thelounge.net) wrote:

> Am 24.10.2015 um 15:04 schrieb Lennart Poettering:
> >Well, I am pretty sure using "#" as separator for that is a really
> >untypical syntax. I am not sure it's really such a big improvement
> >supporting such a syntax over simply asking people to put the right
> >statement in ~/.ssh/config... Note thta the stuff in ~/.ssh/config is
> >really powerful as you can actually define wildcards and stuff...
> 
> but it's pretty useless in cases where you have a dozen virtual machines
> inside a NAT port forwarded on a router because only a single public IP - in
> that case you need to define a port for the connection
> 
> i had such a standard VMware NAT with single ports forwarded for many years
> before i gave up with notebooks and changed my whole IT to two machines
> connected via VPN's and static routes

Well, please talk to the ssh upstream folks. Ask them to add such a
syntax, so that it is universally supported. Without a change
systemctl will then understand the syntax too.

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] systemd services via SSH (-H key)

[Andrei Borzenkov]

24.10.2015 16:57, Reindl Harald пишет:


Am 24.10.2015 um 15:04 schrieb Lennart Poettering:

Well, I am pretty sure using "#" as separator for that is a really
untypical syntax. I am not sure it's really such a big improvement
supporting such a syntax over simply asking people to put the right
statement in ~/.ssh/config... Note thta the stuff in ~/.ssh/config is
really powerful as you can actually define wildcards and stuff...


but it's pretty useless in cases where you have a dozen virtual machines
inside a NAT port forwarded on a router because only a single public IP
- in that case you need to define a port for the connection



Host in ssh.config is matched against host on command line; inside you 
can set HostName and Port which define real connection end point. So you 
may have multiple virtual hosts with different port each referring to 
the same real IP.



i had such a standard VMware NAT with single ports forwarded for many
years before i gave up with notebooks and changed my whole IT to two
machines connected via VPN's and static routes



___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel



___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] systemd services via SSH (-H key)

[Reindl Harald]

Am 24.10.2015 um 15:04 schrieb Lennart Poettering:

Well, I am pretty sure using "#" as separator for that is a really
untypical syntax. I am not sure it's really such a big improvement
supporting such a syntax over simply asking people to put the right
statement in ~/.ssh/config... Note thta the stuff in ~/.ssh/config is
really powerful as you can actually define wildcards and stuff...


but it's pretty useless in cases where you have a dozen virtual machines 
inside a NAT port forwarded on a router because only a single public IP 
- in that case you need to define a port for the connection


i had such a standard VMware NAT with single ports forwarded for many 
years before i gave up with notebooks and changed my whole IT to two 
machines connected via VPN's and static routes




signature.asc
Description: OpenPGP digital signature
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] systemd services via SSH (-H key)

[Lennart Poettering]

On Sat, 24.10.15 09:20, Stuart Longland (stua...@longlandclan.id.au) wrote:

> Makes sense.  So that explains why not another character such as /.  I
> suppose # might work as a delimiter for specifying a port number:
> 
> e.g.
>   foo#portno
> 
> I seem to recall seeing that in BIND:
> > 24-Oct-2015 00:12:26.494 queries: client 10.255.255.251#59505 
> > (www.bom.gov.au): query: www.bom.gov.au IN  +EDC (10.255.255.1)
> 
> You might need to escape the # in some places, but it would at least
> allow specification of the port number.

Well, I am pretty sure using "#" as separator for that is a really
untypical syntax. I am not sure it's really such a big improvement
supporting such a syntax over simply asking people to put the right
statement in ~/.ssh/config... Note thta the stuff in ~/.ssh/config is
really powerful as you can actually define wildcards and stuff...

Also note that ssh itself expects the port number to be specified via
-p or -P (in case of scp), and does not encode it in the argument name
either. In fact, in scp this becomes very visible where copying
something to "scp foo.txt bar:4711" will create a file 4711 on the
destination, instead of understanding that as port number. Now, if ssh
doesn't know such a syntax we shouldn't invent one either...

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] systemd services via SSH (-H key)

[Reindl Harald]

well, you can argue with all sorts of workarounds, lacking something 
like specify a port for a tcp connection is a fractal of bad design


Am 24.10.2015 um 16:58 schrieb Andy Pieters:

Exactly so for Reindl's use scenario, considering  5 hosts all on the
same ip address but with different ports, called
host1,host2,host3,host4, and host5:

Either system-wide in ssh_config, or per user in ~/.ssh/config:

# define common settings for all five hosts
Host host1 host2 host3 host4 host5
 HostName mynatedhost.com 

# Then match each individually to set the correct port

Host host1
 Port 8822

Host host2
 Port 8823

Host host3
 Port 8824

Host host4
 Port 8825

Host host5
 Port 8826

On 24 October 2015 at 15:17, Andrei Borzenkov > wrote:

24.10.2015 16:57, Reindl Harald пишет:


Am 24.10.2015 um 15:04 schrieb Lennart Poettering:

Well, I am pretty sure using "#" as separator for that is a
really
untypical syntax. I am not sure it's really such a big
improvement
supporting such a syntax over simply asking people to put
the right
statement in ~/.ssh/config... Note thta the stuff in
~/.ssh/config is
really powerful as you can actually define wildcards and
stuff...


but it's pretty useless in cases where you have a dozen virtual
machines
inside a NAT port forwarded on a router because only a single
public IP
- in that case you need to define a port for the connection


Host in ssh.config is matched against host on command line; inside
you can set HostName and Port which define real connection end
point. So you may have multiple virtual hosts with different port
each referring to the same real IP.

i had such a standard VMware NAT with single ports forwarded for
many
years before i gave up with notebooks and changed my whole IT to two
machines connected via VPN's and static routes




signature.asc
Description: OpenPGP digital signature
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] systemd services via SSH (-H key)

[Lennart Poettering]

On Fri, 23.10.15 09:07, Stuart Longland (stua...@longlandclan.id.au) wrote:

> On 23/10/15 08:59, Reindl Harald wrote:
> >> Because the syntax of -H parameter is "[user@]host[:container]"
> >> and it does not allow specifying an explicit port number.
> > 
> > [user@]host[:container][:port]
> > [user@]host[:port][:container]
> 
> Can a container name be all-numeric?

We make the same restrictions on container names as on host names. And
that means all-numeric is OK.

> Who made the decision to use ':'?  Any particular reason?

I did.

The ultimate goal is that I wanted a way to reference units in the
network, by specifying a path to them. I.e. something like:

   foo:bar:baz/apache.service

Should refer to the "apache.service" unit in container "baz", that
runs inside container "bar" on host "foo"...

With that command lines like the following should work:

   systemctl start foo:bar:baz/apache.service
   systemctl stop foo:bar:baz/apache.service
   systemctl status foo:bar:baz/apache.service

(and in case we want to access a service running in a local container
the syntax would be:

  systemctl start :quux:waldo/mysql.service

which would mean the mysql service running on container waldo, which
runs in cotnainer quux on the local host)

But, as things go, this is just something I always wanted to support,
but never actually worked on to deliver. Parts of it are implemented
though, such as the "-H foo:bar" thing, or the "-M bar" thing... But
taking it all the way is a bit more work.

Again, if you use non-standard parameters for accessing remote ssh
services, my recommendation would be to configure them in
~/.ssh/config, and that's not just the port number, but everything
else too, like cyphers, the username, ...

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] systemd services via SSH (-H key)

[Lennart Poettering]

B1;4201;0cOn Fri, 23.10.15 14:24, Mantas Mikulėnas (graw...@gmail.com) wrote:

> Yeah, I was referring to UUCP, since it's the same kind of hop-by-hop
> source-routing.
> 
> (Admittedly, ":" was used the same way in Berknet...)
> 
> Though, wouldn't containers just run sshd themselves? Or is this mostly for
> very-lightweight things?

I don't see why they would. The whole concept of "machinectl shell"
and "machinectl login" exists to make it unnecessary to make every
container world-accessible via SSH but still provide a nice, safe and
correct way to get a shell in them (i.e. one that is actually a proper
login shell with PAM, utmp and all that crap, instead of just an
nsenter thing).

In general, doing SSH not only means running another world-accessible
server, but in most cases also picking a good password for root (or
some other local user), as ssh is probably more often used with
passwords than with keys I figure, still. By avoiding direct ssh when
accessing local containers and sticking to "machinectl shell" we can
sidestep the issue, as we can simply take benefit of the fact that the
container's host is always more trusted than the container itself...

What's missing of course here too is that this works:

   machinectl shell foo:bar

and so on, to directly get a shell in container "bar" that lives
inside container "foo"...

But well, given that stacking containers is generally questionnable
this is not a high priority to support...

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] systemd services via SSH (-H key)

[Lennart Poettering]

On Fri, 23.10.15 14:03, Mantas Mikulėnas (graw...@gmail.com) wrote:

> On Fri, Oct 23, 2015 at 1:55 PM, Lennart Poettering 
> wrote:
> 
> > On Fri, 23.10.15 00:59, Reindl Harald (h.rei...@thelounge.net) wrote:
> >
> > >
> > >
> > > Am 23.10.2015 um 00:39 schrieb Ivan Shapovalov:
> > > >On 2015-10-22 at 23:12 +0200, Reindl Harald wrote:
> > > >>[...]
> > > >>and why not simply "timedatectl -H user@host[:port]" since host:port
> > > >>is
> > > >>a well known protocol agnostic way to specify a non-default port?
> > > >
> > > >Because the syntax of -H parameter is "[user@]host[:container]"
> > > >and it does not allow specifying an explicit port number.
> > >
> > > [user@]host[:container][:port]
> > > [user@]host[:port][:container]
> > >
> > > nothing unusual
> >
> > Nope. The idea is that
> >
> >   foo:bar:baz:waldo
> >
> > is kind of "path": connect to host "foo", enter its container "bar",
> > and from there connect to "bar"'s container "baz" and then further
> > down into "baz"'s container "waldo"... Containers are stackable after
> > all.
> >
> 
> The usual path separator would be "/" or "!", then?

I have never seen "!" for this. (or well, maybe uucp, but christ...)

Also, my intention was to use "/" for seperating the unit name (see
other mail).

I'd claim this is in-line with how most URLs work, where "/" is used
to locate the resource on the final system, and everything before the
first "/" is the identifier of the system.

> Hopefully -H at least parses root@[2001:db8::1] correctly...

Nope, it won't. We just blindly look for the first ":"...

Would be willing to take a patch that makes such ipv6 references work.

The code is here:

https://github.com/systemd/systemd/blob/master/src/libsystemd/sd-bus/sd-bus.c#L1308

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] systemd services via SSH (-H key)

[Lennart Poettering]

On Fri, 23.10.15 00:59, Reindl Harald (h.rei...@thelounge.net) wrote:

> 
> 
> Am 23.10.2015 um 00:39 schrieb Ivan Shapovalov:
> >On 2015-10-22 at 23:12 +0200, Reindl Harald wrote:
> >>[...]
> >>and why not simply "timedatectl -H user@host[:port]" since host:port
> >>is
> >>a well known protocol agnostic way to specify a non-default port?
> >
> >Because the syntax of -H parameter is "[user@]host[:container]"
> >and it does not allow specifying an explicit port number.
> 
> [user@]host[:container][:port]
> [user@]host[:port][:container]
> 
> nothing unusual

Nope. The idea is that 

  foo:bar:baz:waldo

is kind of "path": connect to host "foo", enter its container "bar",
and from there connect to "bar"'s container "baz" and then further
down into "baz"'s container "waldo"... Containers are stackable after
all.

(Not saying that's actually stacking containers is a great idea, but I
think the basic concepts should cater for that. Also, currently nspawn
can be stacked as a matter of fact...)

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] systemd services via SSH (-H key)

[Mantas Mikulėnas]

On Fri, Oct 23, 2015 at 2:11 PM, Lennart Poettering 
wrote:

> On Fri, 23.10.15 14:03, Mantas Mikulėnas (graw...@gmail.com) wrote:
>
> > On Fri, Oct 23, 2015 at 1:55 PM, Lennart Poettering <
> lenn...@poettering.net>
> > wrote:
> >
> > > On Fri, 23.10.15 00:59, Reindl Harald (h.rei...@thelounge.net) wrote:
> > >
> > > >
> > > >
> > > > Am 23.10.2015 um 00:39 schrieb Ivan Shapovalov:
> > > > >On 2015-10-22 at 23:12 +0200, Reindl Harald wrote:
> > > > >>[...]
> > > > >>and why not simply "timedatectl -H user@host[:port]" since
> host:port
> > > > >>is
> > > > >>a well known protocol agnostic way to specify a non-default port?
> > > > >
> > > > >Because the syntax of -H parameter is "[user@]host[:container]"
> > > > >and it does not allow specifying an explicit port number.
> > > >
> > > > [user@]host[:container][:port]
> > > > [user@]host[:port][:container]
> > > >
> > > > nothing unusual
> > >
> > > Nope. The idea is that
> > >
> > >   foo:bar:baz:waldo
> > >
> > > is kind of "path": connect to host "foo", enter its container "bar",
> > > and from there connect to "bar"'s container "baz" and then further
> > > down into "baz"'s container "waldo"... Containers are stackable after
> > > all.
> > >
> >
> > The usual path separator would be "/" or "!", then?
>
> I have never seen "!" for this. (or well, maybe uucp, but christ...)
>

Yeah, I was referring to UUCP, since it's the same kind of hop-by-hop
source-routing.

(Admittedly, ":" was used the same way in Berknet...)

Though, wouldn't containers just run sshd themselves? Or is this mostly for
very-lightweight things?

-- 
Mantas Mikulėnas 
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] systemd services via SSH (-H key)

[Stuart Longland]

On 23/10/15 21:04, Lennart Poettering wrote:
>> Can a container name be all-numeric?
> We make the same restrictions on container names as on host names. And
> that means all-numeric is OK.

Ahh, so there goes the idea of just using heuristics (i.e. am I looking
at a string of digits only) to determine if it's a port number or a
container name.

>> > Who made the decision to use ':'?  Any particular reason?
> I did.
> 
> The ultimate goal is that I wanted a way to reference units in the
> network, by specifying a path to them. I.e. something like:
> 
>foo:bar:baz/apache.service

Makes sense.  So that explains why not another character such as /.  I
suppose # might work as a delimiter for specifying a port number:

e.g.
foo#portno

I seem to recall seeing that in BIND:
> 24-Oct-2015 00:12:26.494 queries: client 10.255.255.251#59505 
> (www.bom.gov.au): query: www.bom.gov.au IN  +EDC (10.255.255.1)

You might need to escape the # in some places, but it would at least
allow specification of the port number.

Regards,
-- 
Stuart Longland (aka Redhatter, VK4MSL)

I haven't lost my mind...
  ...it's backed up on a tape somewhere.



signature.asc
Description: OpenPGP digital signature
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] systemd services via SSH (-H key)

[Mikhail Kasimov]

23.10.2015 0:50, Jan Alexander Steffens пишет:
> On Thu, Oct 22, 2015 at 11:07 PM, Mikhail Kasimov
>  wrote:
>> Hello!
>>
>> 1. systemd services have a special key (-H) to connect to remote host
>> via ssh. E.g. 'timedatectl -H user@host'. By default port 22 is used.
>> But in very often cases admins change the default ssh-port in
>> sshd-daemon settings (e.g. 41122). It's useful to avoid connections from
>> ssh-bruteforce robots.
>> But systemd has no way (I can't find it in man-pages for example) how to
>> define the admin-defined ssh connection port (possibly, other ssh
>> options are also not accessable).
> 
> You can use ~/.ssh/config to alter any connection properties
> associated with a certain hostname, even directing the connection to a
> completely different host (a way of creating aliases).
> 
> Example:
> 
> Host foo
>   HostName foo.example.com
>   User bar
>   Port 41122
> 
> and henceforth, `timedatectl -H foo` will connect to 
> b...@foo.example.com:41122

Hmm... it's simple variant I didn't think about, thanks. But I have
builded more complicated conception.



___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] systemd services via SSH (-H key)

[Reindl Harald]

Am 22.10.2015 um 23:07 schrieb Mikhail Kasimov:

1. systemd services have a special key (-H) to connect to remote host
via ssh. E.g. 'timedatectl -H user@host'. By default port 22 is used.
But in very often cases admins change the default ssh-port in
sshd-daemon settings (e.g. 41122). It's useful to avoid connections from
ssh-bruteforce robots.
But systemd has no way (I can't find it in man-pages for example) how to
define the admin-defined ssh connection port (possibly, other ssh
options are also not accessable). The workaround is to define: 'ssh -p
41122 user@host' in console and then, after connection in on, proceed
'timedatectl' on remote host.
But in this way it's not clear the profit of sysmted's -H key and this
functionality looks redundant as for me.

Solutions:


and why not simply "timedatectl -H user@host[:port]" since host:port is 
a well known protocol agnostic way to specify a non-default port?




signature.asc
Description: OpenPGP digital signature
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] systemd services via SSH (-H key)

[Ivan Shapovalov]

On 2015-10-22 at 23:12 +0200, Reindl Harald wrote:
> [...]
> and why not simply "timedatectl -H user@host[:port]" since host:port
> is 
> a well known protocol agnostic way to specify a non-default port?

Because the syntax of -H parameter is "[user@]host[:container]"
and it does not allow specifying an explicit port number.

Why don't you read manpages before replying?

-- 
Ivan Shapovalov / intelfx /



signature.asc
Description: This is a digitally signed message part
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

[systemd-devel] systemd services via SSH (-H key)

[Mikhail Kasimov]

Hello!

1. systemd services have a special key (-H) to connect to remote host
via ssh. E.g. 'timedatectl -H user@host'. By default port 22 is used.
But in very often cases admins change the default ssh-port in
sshd-daemon settings (e.g. 41122). It's useful to avoid connections from
ssh-bruteforce robots.
But systemd has no way (I can't find it in man-pages for example) how to
define the admin-defined ssh connection port (possibly, other ssh
options are also not accessable). The workaround is to define: 'ssh -p
41122 user@host' in console and then, after connection in on, proceed
'timedatectl' on remote host.
But in this way it's not clear the profit of sysmted's -H key and this
functionality looks redundant as for me.

Solutions:
==

1. To formalize the systemd-via-ssh connections like it was done for
snmpssh [RFC5592] for example. 'grep snmp < /etc/services':

snmp   161/tcp  # SNMP
snmp   161/udp  # SNMP
snmptrap   162/tcp  # SNMPTRAP  [Marshall_Rose]
snmptrap   162/udp  # SNMPTRAP  [Marshall_Rose]
snmp-tcp-port  1993/tcp # cisco SNMP TCP
portsnmp-tcp-port  1993/udp # cisco SNMP TCP
portoce-snmp-trap  2697/tcp # Oce SNMP Trap Port  [Peter_Teeuwen]
oce-snmp-trap  2697/udp # Oce SNMP Trap Port  [Peter_Teeuwen]
websphere-snmp 3427/tcp # WebSphere SNMP  [Richard_Mills]
websphere-snmp 3427/udp # WebSphere SNMP  [Richard_Mills]
snmpssh5161/tcp # SNMP over SSH Transport Model  [RFC5592]
snmpssh-trap   5162/tcp # SNMP Notification over SSH Transport
Model  [RFC5592]
patrol-snmp8161/tcp # Patrol SNMP  [Portnoy_Boxman]
patrol-snmp8161/udp # Patrol SNMP  [Portnoy_Boxman]
snmptls10161/tcp# SNMP-TLS  [RFC6353]
snmpdtls   10161/udp# SNMP-DTLS  [RFC6353]
snmptls-trap   10162/tcp# SNMP-Trap-TLS  [RFC6353]
snmpdtls-trap  10162/udp# SNMP-Trap-DTLS  [RFC6353]
suncacao-snmp  11161/tcp# sun cacao snmp access point
[Nick_Stephen]
suncacao-snmp  11161/udp# sun cacao snmp access point
[Nick_Stephen]


So, we'll have systemd-ssh via hard-defined tcp\udp port described in
RFC. And if there's no systemd on remote host, user will get a message
like "Cannot proceed on non-systemd host".

2. To extend current -H key functionality with other ssh options (e.g. -p).

3. To delete the redundant functionality (-H key) from systemd services
and to continue to use traditional non-systemd-ways (ssh -p 123 user@host).

By the way, I think the 1. is also acceptable to
systemd-journal-gatewayd\-upload\-remote, if their functionality would
be extended with ssh-transmission suppotring (via scp).


Thank you!
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] systemd services via SSH (-H key)

[Stuart Longland]

On 23/10/15 08:59, Reindl Harald wrote:
>> Because the syntax of -H parameter is "[user@]host[:container]"
>> and it does not allow specifying an explicit port number.
> 
> [user@]host[:container][:port]
> [user@]host[:port][:container]

Can a container name be all-numeric?
Who made the decision to use ':'?  Any particular reason?
-- 
Stuart Longland (aka Redhatter, VK4MSL)

I haven't lost my mind...
  ...it's backed up on a tape somewhere.



signature.asc
Description: OpenPGP digital signature
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel