Author: arkurth Date: Fri Oct 16 22:04:04 2009 New Revision: 826104 URL: http://svn.apache.org/viewvc?rev=826104&view=rev Log: VCL-164 Reworked cygwin-sshd-config.sh and gen-node-key.sh to make Windows base image creation easier. Added some steps to make the scripts more robust to correct problems which would prevent SSH authentication from a management node to a Windows computer using an identity key. Added comments. Set Subversion properties on these scripts.
Modified: incubator/vcl/trunk/managementnode/bin/cygwin-sshd-config.sh (contents, props changed) incubator/vcl/trunk/managementnode/bin/gen-node-key.sh (contents, props changed) Modified: incubator/vcl/trunk/managementnode/bin/cygwin-sshd-config.sh URL: http://svn.apache.org/viewvc/incubator/vcl/trunk/managementnode/bin/cygwin-sshd-config.sh?rev=826104&r1=826103&r2=826104&view=diff ============================================================================== --- incubator/vcl/trunk/managementnode/bin/cygwin-sshd-config.sh (original) +++ incubator/vcl/trunk/managementnode/bin/cygwin-sshd-config.sh Fri Oct 16 22:04:04 2009 @@ -1,6 +1,7 @@ -############################################################################## -# $Id: $ -############################################################################## +#!/bin/bash +############################################################################### +# $Id$ +############################################################################### # Licensed to the Apache Software Foundation (ASF) under one or more # contributor license agreements. See the NOTICE file distributed with # this work for additional information regarding copyright ownership. @@ -17,35 +18,18 @@ # limitations under the License. ############################################################################### # DESCRIPTION -# Configures the Cygwin SSHD service installed in a Windows image. +# Configures the Cygwin SSHD service installed on a Windows computer. # Cygwin and the sshd component must be installed prior to running this script. -# This script should be run on a node which has been installed with a base -# image. After running this script, gen-node-key.sh should be run on a -# management node. -# This script does the following: -# * Stops any running sshd processes and servicies -# * Deletes an existing sshd user account if it exists -# * Deletes existing /etc/ssh* files -# * Sets the correct owner and permissions on several files and directories -# * Recreates the /etc/passwd and /etc/group files -# * Configures the correct system mount points -# * Runs ssh-host-config -# * Sets the following options in /etc/sshd_config: -# LogLevel=VERBOSE -# MaxAuthTries=12 -# PasswordAuthentication=yes -# Banner=none -# UsePrivilegeSeparation=yes -# StrictModes=no -# LoginGraceTime=10 -# Compression=no -# * Configures the sshd service to log to /var/log/sshd.log -# * Grants the log on as a service permission to root -# * Configures the sshd service to run as root -# * Configures the firewall to allow port 22 -# * Starts the sshd service - -# ----------------------------------------------------------------------------- +# This script must be run as root on the Windows computer. The root account's +# password must be supplied as the 1st and only argument to this script. Enclose +# the password in single quotes if it contains special characters. After this +# script completes successfully, the sshd service should be running on the +# Windows computer. After running this script, gen-node-key.sh must be run on a +# management node with the Windows computer's hostname or IP address specified as the 1st +# argument. This will copy root's public SSH identity key to the +# authorized_hosts file on the Windows computer and disable password +# authentication. +############################################################################### # Name : set_config # Parameters : [config_file] [keyword] [value] # Returns : always 1 @@ -73,117 +57,194 @@ echo Setting $keyword to $value in $config_file sed -i -r -e "s/^[ #]*($keyword).*/\1 $value/" $config_file grep -i -r "^[ #]*$keyword" $config_file - echo ---------- + print_hr return 1; } -# ----------------------------------------------------------------------------- +#------------------------------------------------------------------------------ +function print_hr { + echo "----------------------------------------------------------------------" +} +#------------------------------------------------------------------------------ +function help { + print_hr + echo "Usage: $0 '<root password>'" + print_hr + exit 1 +} + +#------------------------------------------------------------------------------ +function die { + exit_status=$? + message=$1 + + print_hr + echo "ERROR: ($exit_status)" + + if [ "$message" != "" ] + then + echo $message + fi + + print_hr + exit 1 +} + +############################################################################### +# Get the Windows root account password argument if [ $# -ne 1 ] then - echo "Usage: $0 '<root password>'" - exit 1 + help fi PASSWORD=$1 +print_hr + +# Stop and kill all sshd processes echo Stopping sshd service if it is running net stop sshd 2>/dev/null -echo ---------- +print_hr +echo Killing any sshd.exe processes +taskkill.exe /IM sshd.exe /F 2>/dev/null +print_hr + +echo Killing any cygrunsrv.exe processes +taskkill.exe /IM cygrunsrv.exe /F 2>/dev/null +print_hr + +# Delete the sshd service if it already exists echo Deleting sshd service if it already exists $SYSTEMROOT/system32/sc.exe delete sshd -echo ---------- +print_hr + +# Make sure sshd service registry key is gone +# sc.exe may have set a pending deletion registry key under sshd +# This prevents the service from being reinstalled +echo Deleting sshd service registry key +reg.exe DELETE 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sshd' /f +print_hr +# Delete sshd user, a new account will be created echo Deleting the sshd user if it already exists net user sshd /DELETE -echo ---------- +print_hr +# Delete any existing ssh configuration or key files echo Deleting '/etc/ssh*' rm -fv /etc/ssh* -echo ---------- +print_hr +# Delete existing ssh log file echo Deleting /var/log/sshd.log if it exists rm -fv /var/log/sshd.log -echo ---------- +print_hr +# ssh-host-config requires several permissions to be set in order for it to complete echo Setting root:Administrators as owner of '/etc' and '/var' chown -R root:Administrators /etc /var -echo ---------- +print_hr echo Adding ug+rwx permissions to '/etc' and '/var' chmod -v ug+rwx /etc /var -echo ---------- +print_hr echo Adding read permission on /etc/passwd and /etc/group chmod -v +r /etc/passwd /etc/group -echo ---------- +print_hr echo Adding ug+w permission on /etc/passwd and /etc/group chmod -v ug+w /etc/passwd /etc/group -echo ---------- +print_hr +# Recreate Cygwin's group and passwd files so they match current computer accounts echo Recreating /etc/group mkgroup -l > /etc/group -echo ---------- +if [ $? -ne 0 ]; then die "failed to recreate /etc/group"; fi; +print_hr echo Recreating /etc/passwd mkpasswd -l > /etc/passwd -echo ---------- +if [ $? -ne 0 ]; then die "failed to recreate /etc/passwd"; fi; +print_hr +# ssh-host-config will fail if the mount points are configured as user instead of system echo Configuring mount points -umount -u /usr/bin 2>/dev/nul +umount -u /usr/bin 2>/dev/null mount -f -s -b C:/cygwin/bin /usr/bin -umount -u /usr/lib 2>/dev/nul +umount -u /usr/lib 2>/dev/null mount -f -s -b C:/cygwin/lib /usr/lib -umount -u / 2>/dev/nul +umount -u / 2>/dev/null mount -f -s -b C:/cygwin / -echo ---------- +print_hr echo Adding execute permission on /var chmod -v +x /var -echo ---------- +print_hr +# Delete existing SSH settings and files in root's home directory +echo Deleting /home/root/.ssh directory if it exists +rm -rfv /home/root/.ssh +print_hr + +# Run ssh-user-config, this creates the .ssh directory in root's home directory +echo Running ssh-user-config +ssh-user-config -n +if [ $? -ne 0 ]; then die "failed to run ssh-host-config"; fi; +print_hr + +# Make sure root owns everything in its home directory +echo Setting root:None as the owner of /home/root +chown -R root:None /home/root +print_hr + +# Run ssh-host-config, this is the main sshd service configuration utility echo Running ssh-host-config -ssh-host-config -y -echo ---------- +ssh-host-config -y -c ntsec -w "$PASSWORD" +if [ $? -ne 0 ]; then die "failed to run ssh-host-config"; fi; +print_hr +# sshd service requires some directories under /var to be configured as follows in order to start echo Creating /var/empty directory if it does not exist mkdir /var/empty 2>/dev/NULL -echo ---------- +print_hr echo Setting root:Administrators as owner of /var/empty chown -Rv root:Administrators /var/empty -echo ---------- +print_hr echo Setting permissions to 755 on /var/empty chmod -Rv 755 /var/empty -echo ---------- +print_hr echo Setting permissions to 775 on /var/log chmod -Rv 775 /var/log -echo ---------- +print_hr echo Creating /var/log/sshd.log file if it does not exist touch /var/log/sshd.log -echo ---------- +print_hr echo Setting root:Administrators as owner of '/etc/ssh*' and /var/log/sshd.log chown -Rv root:Administrators /etc/ssh* /var/log/sshd.log -echo ---------- +print_hr echo Setting permissions to ug+rw on '/etc/ssh*' and /var/log/sshd.log chmod -Rv ug+rw /etc/ssh* /var/log/sshd.log -echo ---------- +print_hr +# Make sure host key permissions are correct echo Setting permissions to 600 on '/etc/ssh*key' chmod -v 600 /etc/ssh*key -echo ---------- +print_hr echo Setting permissions to ug+rwx on /etc chmod -v ug+rwx /etc -echo ---------- +print_hr +# Configure the sshd_config file echo Configuring /etc/sshd_config set_config '/etc/sshd_config' 'LogLevel' 'VERBOSE' set_config '/etc/sshd_config' 'MaxAuthTries' '12' @@ -191,17 +252,25 @@ set_config '/etc/sshd_config' 'Banner' 'none' set_config '/etc/sshd_config' 'UsePrivilegeSeparation' 'yes' set_config '/etc/sshd_config' 'StrictModes' 'no' -set_config '/etc/sshd_config' 'LoginGraceTime' '10' +set_config '/etc/sshd_config' 'LoginGraceTime' '30' set_config '/etc/sshd_config' 'Compression' 'no' +set_config '/etc/sshd_config' 'IgnoreUserKnownHosts' 'yes' +set_config '/etc/sshd_config' 'PrintLastLog' 'no' +set_config '/etc/sshd_config' 'RSAAuthentication' 'no' +set_config '/etc/sshd_config' 'UseDNS' 'no' +set_config '/etc/sshd_config' 'PermitRootLogin' 'no' +# Add switches to the sshd service startup command so that it logs to a file echo Configuring the sshd service to log to /var/log/sshd.log reg.exe ADD "HKLM\SYSTEM\CurrentControlSet\Services\sshd\Parameters" /v AppArgs /d "-D -e" /t REG_SZ /f -echo ---------- +print_hr +# Configure the sshd service to run as root echo Configuring the sshd service to use the root account: $PASSWORD $SYSTEMROOT/system32/sc.exe config sshd obj= ".\root" password= "$PASSWORD" -echo ---------- +print_hr +# Run secedit.exe to grant root the right to logon as a service # Assemble the paths secedit needs secedit_exe="C:\\WINDOWS\\system32\\secedit.exe" secedit_inf='C:\\WINDOWS\\security\\templates\\root_logon_service.inf' @@ -217,22 +286,32 @@ signature="\$WINDOWS NT\$" EOF +# Make sure security .inf file is formatted for DOS unix2dos $secedit_inf echo Running secedit.exe to grant root the right to logon as a service cmd.exe /c $secedit_exe /configure /cfg "$secedit_inf" /db $secedit_db /log $secedit_log /verbose -echo ---------- +print_hr -echo Configuring firewall port 22 exception +# Create firewall exception for sshd TCP port 22 traffic +echo Configuring sshd firewall port 22 exception netsh firewall set portopening name = "Cygwin SSHD" protocol = TCP port = 22 mode = ENABLE profile = ALL scope = ALL -echo ---------- +if [ $? -ne 0 ]; then die "failed to configure sshd firewall port 22 exception"; fi; +print_hr echo Starting the sshd service net start sshd -echo ---------- +if [ $? -ne 0 ]; then die "failed to starting the sshd service"; fi; +print_hr +# Print the end of the sshd.log file, this is only for debugging echo /var/log/sshd.log ending: tail -n 10 /var/log/sshd.log -echo ---------- +print_hr + +echo "SUCCESS: $0 done." +echo +echo "IMPORTANT! Now run gen-node-key.sh on the management node," +echo "specify this computer's hostname or IP address as the 1st argument." -echo Done +exit 0 Propchange: incubator/vcl/trunk/managementnode/bin/cygwin-sshd-config.sh ------------------------------------------------------------------------------ svn:eol-style = native Propchange: incubator/vcl/trunk/managementnode/bin/cygwin-sshd-config.sh ------------------------------------------------------------------------------ svn:executable = * Propchange: incubator/vcl/trunk/managementnode/bin/cygwin-sshd-config.sh ------------------------------------------------------------------------------ svn:keywords = Date Revision Author HeadURL Id Modified: incubator/vcl/trunk/managementnode/bin/gen-node-key.sh URL: http://svn.apache.org/viewvc/incubator/vcl/trunk/managementnode/bin/gen-node-key.sh?rev=826104&r1=826103&r2=826104&view=diff ============================================================================== --- incubator/vcl/trunk/managementnode/bin/gen-node-key.sh (original) +++ incubator/vcl/trunk/managementnode/bin/gen-node-key.sh Fri Oct 16 22:04:04 2009 @@ -1,6 +1,7 @@ -############################################################################## -# $Id: $ -############################################################################## +#!/bin/bash +############################################################################### +# $Id$ +############################################################################### # Licensed to the Apache Software Foundation (ASF) under one or more # contributor license agreements. See the NOTICE file distributed with # this work for additional information regarding copyright ownership. @@ -17,84 +18,134 @@ # limitations under the License. ############################################################################### # DESCRIPTION -# Configures a VCL management node to be able to control a remote node using SSH -# keys. The IP address or hostname of a remote node which has already been -# configured to respond to SSH must be supplied as an argument. This script does -# the following: -# * Generates an 1024 bit RSA SSH public/private key pair if it doesn't already -# exist. Location: -# Private key: /etc/vcl/vcl.key -# Public key: /etc/vcl/vcl.key.pub -# * Configures the ssh_config file on the management node to use the following -# options: -# StrictHostKeyChecking=no -# * Removes any existing entries in the known_hosts file for the node specified -# * Adds the current host key of the node specified to the known_hosts file -# * Adds the vcl.key.pub public key to the authorized_keys file on the specified -# host -# * Configures the sshd_config file on the specified host with the following -# options: -# PermitRootLogin=no -# PasswordAuthentication=no -# * Restarts the sshd service on the specified node +# Configures the root account on a VCL management node to be able to log on to a +# Windows computer via SSH using an identity key. The IP address or hostname of +# the Windows computer must be supplied as the first argument. An SSH private +# key path can optionally be specified as the 2nd argument. If the 2nd argument +# isn't supplied, the SSH identity key file used is /etc/vcl/vcl.key. The SSH +# identity key files will be created if they don't already exist. Enter the +# Windows computer's root accounts password when prompted. +############################################################################### +function print_hr { + echo "----------------------------------------------------------------------" +} + +#------------------------------------------------------------------------------ +function help { + print_hr + echo "Usage:" + echo "$0 <IP or hostname> [SSH identity key path]" + print_hr + exit 1 +} + +#------------------------------------------------------------------------------ +function die { + message=$1 + + print_hr + echo "ERROR:" + + if [ "$message" != "" ] + then + echo $message + fi + + print_hr + exit 1 +} -if [ $# -ne 1 ] +############################################################################### +# Get the arguments +if [ $# == 0 -o $# -gt 2 ]; then - echo "Usage: $0 <node>" - exit 1 + help fi NODE=$1 +KEY_PATH=$2 + +# Make sure root is running this script +if [ `env |grep -ic "^USERNAME=root$"` -ne 1 ]; +then + die "this script must be run as root" +fi + +SSH_OPTIONS="-o CheckHostIP=no -o StrictHostKeyChecking=no -o BatchMode=no" + +print_hr + +# Set the default key path if argument not specified +if [ "$KEY_PATH" == "" ] +then + KEY_PATH='/etc/vcl/vcl.key' + echo Using default SSH identity key path: $KEY_PATH +else + echo Using specified SSH identity key path: $KEY_PATH +fi # Check if vcl.key already exists, create it if it doesn't -echo ---------- -if [ -f '/etc/vcl/vcl.key' ]; +print_hr +if [ -f "$KEY_PATH" ]; then - echo SSH key already exists on this management node: '/etc/vcl/vcl.key' + echo SSH key already exists on this management node: "$KEY_PATH" else - echo Creating SSH keys on management node: '/etc/vcl/vcl.key(.pub)' - mkdir -p /etc/vcl - ssh-keygen -t rsa -f /etc/vcl/vcl.key -N '' -b 1024 -C 'root on VCL management node' - echo "IdentityFile /etc/vcl/vcl.key" >> /etc/ssh/ssh_config -fi -echo ---------- - -echo Setting StrictHostKeyChecking to no in ssh_config on this management node -sed -i -r -e "s/^[ #]*(StrictHostKeyChecking).*/\1 no/" /etc/ssh/ssh_config -grep -i -r "^[ #]*StrictHostKeyChecking" /etc/ssh/ssh_config -echo ---------- + echo Creating SSH keys on management node: "$KEY_PATH" + ssh-keygen -t rsa -f "$KEY_PATH" -N '' -b 1024 -C 'VCL root account' + if [ $? -ne 0 ]; then die "failed to generate SSH keys"; fi; + echo "IdentityFile $KEY_PATH" >> /etc/ssh/ssh_config +fi +print_hr # Remove existing entries for the node from known_hosts for the node specified by the argument -if [ `grep -ic $NODE /root/.ssh/known_hosts` -ne 0 ]; +if [ `grep -ic "^$NODE " /root/.ssh/known_hosts` -ne 0 ]; then echo Removing $C entries for $NODE from '/root/.ssh/known_hosts' - sed -i -r -e "s/.*$NODE.*//" /root/.ssh/known_hosts + sed -i -r -e "s/^$NODE .*//" /root/.ssh/known_hosts else echo Entry does not exist for $NODE in '/root/.ssh/known_hosts' fi -echo ---------- +print_hr -echo Scanning host key for $NODE and adding it to '/root/.ssh/known_hosts' -ssh-keyscan -t rsa $NODE >> /root/.ssh/known_hosts +# Remove existing entries for the node from xCAT gkh file +if [ `grep -ic "^$NODE " /opt/xcat/etc/gkh` -ne 0 ]; +then + echo Removing $C entries for $NODE from '/opt/xcat/etc/gkh' + sed -i -r -e "s/^$NODE .*//" /opt/xcat/etc/gkh +else + echo Entry does not exist for $NODE in '/opt/xcat/etc/gkh' +fi +print_hr -echo Copying public key to authorized_keys on $NODE -ssh-copy-id -i /etc/vcl/vcl.key.pub $NODE -echo ---------- +# Add the node's key to the known hosts file +which makesshgkh +if [ $? == 0 ]; +then + echo Running xCAT makesshgkh utility for $NODE + makesshgkh $NODE +else + echo Scanning host key for $NODE and adding it to '/root/.ssh/known_hosts' + ssh-keyscan -t rsa $NODE >> /root/.ssh/known_hosts +fi +print_hr -echo Setting PermitRootLogin to no in sshd_config on $NODE -ssh -i /etc/vcl/vcl.key r...@$node 'sed -i -r -e "s/^[ #]*(PermitRootLogin).*/\1 no/" /etc/sshd_config' -ssh -i /etc/vcl/vcl.key r...@$node 'grep "^[ #]*PermitRootLogin" /etc/sshd_config' -echo ---------- +echo Copying public key to authorized_keys on $NODE +scp $SSH_OPTIONS $KEY_PATH.pub r...@$node:.ssh/authorized_keys +if [ $? -ne 0 ]; then die "failed to copy $KEY_PATH.pub to $NODE:.ssh/authorized_keys"; fi; +print_hr echo Setting PasswordAuthentication to no in sshd_config on $NODE -ssh -i /etc/vcl/vcl.key r...@$node 'sed -i -r -e "s/^[ #]*(PasswordAuthentication).*/\1 no/" /etc/sshd_config' -ssh -i /etc/vcl/vcl.key r...@$node 'grep "^[ #]*PasswordAuthentication" /etc/sshd_config' -echo ---------- +ssh $SSH_OPTIONS -i $KEY_PATH r...@$node 'sed -i -r -e "s/^[ #]*(PasswordAuthentication).*/\1 no/" /etc/sshd_config' +ssh $SSH_OPTIONS -i $KEY_PATH r...@$node 'grep "^[ #]*PasswordAuthentication" /etc/sshd_config' +print_hr echo Restarting the sshd service on $NODE -ssh -i /etc/vcl/vcl.key r...@$node 'net stop sshd ; net start sshd' -echo ---------- - -echo Done, the following command should work: -echo "ssh -i /etc/vcl/vcl.key $NODE" +ssh $SSH_OPTIONS -i $KEY_PATH r...@$node 'net stop sshd ; net start sshd' +if [ $? -ne 0 ]; then die "failed to restart the sshd service on $NODE"; fi; +print_hr + +echo "SUCCESS: $0 done." +echo +echo "Try to run the following command, it should NOT prompt for a password:" +echo "ssh $SSH_OPTIONS -i $KEY_PATH $NODE" exit 0 \ No newline at end of file Propchange: incubator/vcl/trunk/managementnode/bin/gen-node-key.sh ------------------------------------------------------------------------------ svn:eol-style = native Propchange: incubator/vcl/trunk/managementnode/bin/gen-node-key.sh ------------------------------------------------------------------------------ svn:executable = * Propchange: incubator/vcl/trunk/managementnode/bin/gen-node-key.sh ------------------------------------------------------------------------------ svn:keywords = Date Revision Author HeadURL Id