Hi Eric and Tim,
This is a trick I've been experimenting with that pushes clients securely.
The idea is to modify the install scripts slightly, so they use scp
instead of rcp, and then push the clients on the command line using
the ssh-agent for authentication. I would highly recommend backing up
the original scripts before changing them, and testing this before trying
it in your production environment! That being said, it has worked well for me.
1) Ssh authentication
This method only works if you have a RSA/DSA key in the client's
authorized_hosts file (and passkey authentication enabled on all the
client machines). The corresponding RSA/DSA private key should be added to
your ssh-agent on the master server. If this is possible, then:
2) Modify the install script(s)
Edit the install_client script appropriate to your client's arch/OS. For
example, for Solaris 7, this would be:
/usr/openv/netbackup/client/Solaris/Solaris7/install_client
Rewrite the section defining rcp and rsh to point to your local versions of
scp and ssh, like so:
---start original---
# Find the rsh and rcp commands
if [ -x /usr/net/rsh ] ; then
RSH=/usr/net/rsh
elif [ -x /usr/bin/remsh ] ; then
RSH=/usr/bin/remsh
elif [ -x /usr/bin/resh ] ; then
RSH=/usr/bin/resh
elif [ -x /usr/bin/rsh ] ; then
RSH=/usr/bin/rsh
elif [ -x /usr/bsd/rsh ] ; then
RSH=/usr/bsd/rsh
elif [ -x /usr/ucb/rsh ] ; then
RSH=/usr/ucb/rsh
else
/bin/echo Cannot find rsh command
exit 1
fi
if [ -x /usr/ucb/rcp ] ; then
RCP=/usr/ucb/rcp
elif [ -x /usr/bsd/rcp ] ; then
RCP=/usr/bsd/rcp
elif [ -x /usr/bin/rcp ] ; then
RCP=/usr/bin/rcp
else
/bin/echo Cannot find rcp command
exit 1
fi
---end original---
becomes:
# Modified to use ssh and scp instead of rsh and rcp;
# unmodified file is install_client.orig -jon
#
# Find the ssh and scp commands
if [ -x /usr/local/bin/ssh ] ; then
RSH=/usr/local/bin/ssh
else
/bin/echo Cannot find ssh command
exit 1
fi
if [ -x /usr/local/bin/scp ] ; then
RCP=/usr/local/bin/scp
else
/bin/echo Cannot find scp command
exit 1
fi
# End modified section
3) Example
Once you've made that change to any client you want to push, you can
install clients via scp/ssh easily enough:
(add clients to NetBackup, but don't let it push the clients)
(put public key on all clients, private key on NB server)
# ssh-agent bash
bash # ssh-add backup-key # if "backup-key" is the name of your key...
Need passphrase for backup-key
Enter passphrase for jon AT tweety.main.gnac DOT com
Identity added: backup-key (jon AT tweety.main.gnac DOT com)
bash # /usr/openv/netbackup/bin/install_client_files rsh ALL # really ssh!
192.168.2.1 ...
Client 192.168.2.1 -- Solaris hardware running Solaris2.6
Installing NetBackup software on 192.168.2.1
...
I've only had limited opportunities to test this, but it's worked well.
Jonathan Tourtellot
Certainty Solutions
(Formerly GNAC)
On Tue, May 22, 2001 at 07:59:27AM -0600, Tim McMurphy wrote:
> This is a question of interest to me as well. Right now I just scp a big
> tarball over and do the install manually. This will become a bigger issue as
> more sites start working with ssh.
>
> One idea I had that I haven't had time to try yet is to alias sftp to ftp
> using OpenSSH 2.9
>
> -----Original Message-----
> From: Eric L. Santelices [mailto:erics AT sportsline DOT com]
> Sent: Monday, May 21, 2001 2:23 PM
> To: veritas-bu AT mailman.eng.auburn DOT edu
> Subject: [Veritas-bu] Secure Client Install
>
>
>
> Our Security Admins do not allow FTP or telnet on many if not all our
> servers.
>
> So the client install cp_to_client and ftp_to_client do not work for us.
>
> Has anyone come up with a way to tunnel these install processes via SSH or
> SCP?
>
> Thanks.
>
>
> Eric L. Santelices
> System Administrator Sportsline.com
>
> 954-351-2120 Ext. 4691 NASDAQ: SPLN
> 954-202-6491 Fax 954-528-4736 Pager
> pageeric AT sportsline DOT com Alpha Pager
>
|
