Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Juraj Bednár 29. 11. 2010 Managing servers with DSSH
DIGMIA <ul><li>System administration and consulting company </li><ul><li>Most of the TOP 20 web sites in Slovakia are our ...
Member of Society for Open Information Technologies (soit.sk) </li></ul></ul>Introduction
<ul><li>At least 5 system administrators or
At least 30 servers in heterogenous environment </li></ul>Who is this presentation for?
Use case
 
Wrong solutions <ul><li>Use ssh agent forwarding </li><ul><li>Known to be insecure if you don't trust the server (which yo...
Difficult to manage if there are different customers with same network range (192.168.x.x)? </li></ul></ul>
<ul><li>Cut & paste passwords </li><ul><li>Clipboard not safe enough
You don't need to display passwords, just use them at just the right place (don't paste to chat...) </li></ul></ul>Wrong s...
<ul><li>pfexec, sudo, ... </li><ul><li>Low auditability </li><ul><li>sudo -s
copy file to server and then execute </li></ul><li>Management hell </li><ul><li>Can not create lots of unix accounts and m...
LDAP not possible (different customers, different security policies) </li></ul></ul></ul>Not applicable for us
<ul><li>Custom scriptable SSH client
Written in Java, using modified Trilead SSH library </li><ul><li>Console initialization components written in JNI
Needs terminal emulator (such as xterm or Terminal.app) </li></ul><li>Scriptable in BeanShell </li><ul><li>Used Groovy, bu...
<ul><li>SSH in SSH tunneling </li><ul><li>Hostnames can be interpreted by script to login you to target network
Possibility to change hostnames </li></ul><li>Possibility to login as root by using “su” or “ena”
Limited scp support (sftp coming soon) </li><ul><li>Not possible to scp using “su” or “ena” because of server lim. </li></...
<ul><li>Dynamic path selection (script can ping several entry point hosts)
Logging support
Credentials storage very lightweight </li><ul><li>API does not support key retrieval (you can only use keys)
Supports password retrieval
Upcoming SlideShare
Loading in …5
×

Dssh @ Confidence, Prague 2010

655 views

Published on

Presentation about DSSH

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Dssh @ Confidence, Prague 2010

  1. 1. Juraj Bednár 29. 11. 2010 Managing servers with DSSH
  2. 2. DIGMIA <ul><li>System administration and consulting company </li><ul><li>Most of the TOP 20 web sites in Slovakia are our customers </li></ul><li>Supporters of open-source </li></ul>Me <ul><ul><li>Co-founder of Progressbar.sk hackerspace
  3. 3. Member of Society for Open Information Technologies (soit.sk) </li></ul></ul>Introduction
  4. 4. <ul><li>At least 5 system administrators or
  5. 5. At least 30 servers in heterogenous environment </li></ul>Who is this presentation for?
  6. 6. Use case
  7. 8. Wrong solutions <ul><li>Use ssh agent forwarding </li><ul><li>Known to be insecure if you don't trust the server (which you should not – it's customer's, their security policy applies) </li></ul><li>Create VPN to office </li><ul><li>Single point of failure
  8. 9. Difficult to manage if there are different customers with same network range (192.168.x.x)? </li></ul></ul>
  9. 10. <ul><li>Cut & paste passwords </li><ul><li>Clipboard not safe enough
  10. 11. You don't need to display passwords, just use them at just the right place (don't paste to chat...) </li></ul></ul>Wrong solutions
  11. 12. <ul><li>pfexec, sudo, ... </li><ul><li>Low auditability </li><ul><li>sudo -s
  12. 13. copy file to server and then execute </li></ul><li>Management hell </li><ul><li>Can not create lots of unix accounts and manage them
  13. 14. LDAP not possible (different customers, different security policies) </li></ul></ul></ul>Not applicable for us
  14. 15. <ul><li>Custom scriptable SSH client
  15. 16. Written in Java, using modified Trilead SSH library </li><ul><li>Console initialization components written in JNI
  16. 17. Needs terminal emulator (such as xterm or Terminal.app) </li></ul><li>Scriptable in BeanShell </li><ul><li>Used Groovy, but it was too slow (interactive start) </li></ul></ul>Enter DSSH
  17. 18. <ul><li>SSH in SSH tunneling </li><ul><li>Hostnames can be interpreted by script to login you to target network
  18. 19. Possibility to change hostnames </li></ul><li>Possibility to login as root by using “su” or “ena”
  19. 20. Limited scp support (sftp coming soon) </li><ul><li>Not possible to scp using “su” or “ena” because of server lim. </li></ul></ul>Features
  20. 21. <ul><li>Dynamic path selection (script can ping several entry point hosts)
  21. 22. Logging support
  22. 23. Credentials storage very lightweight </li><ul><li>API does not support key retrieval (you can only use keys)
  23. 24. Supports password retrieval
  24. 25. Can be changed for any password storage solution easily </li></ul></ul>Additional features
  25. 26. Architecture
  26. 27. <ul><li>We don't want our admins to remember weird port numbers
  27. 28. if ((host.equals(&quot;weirdhost.customer1&quot;)) && (port == 22))
  28. 29. port = 31337;
  29. 30. Or IP addresses
  30. 31. if (host.equals(&quot;weirdhost.customer2&quot;)) </li><ul><ul><ul><ul><ul><ul><ul><ul><ul><li>host = &quot;192.146.122.211&quot;; </li></ul></ul></ul></ul></ul></ul></ul></ul></ul></ul>Examples
  31. 32. <ul><li>Automatically use backup connection </li></ul>if (host.equals(&quot;weirdhost3.customer&quot;)) { InetAddress address = InetAddress.getByName(host); if (!address.isReachable(1500)) { if (verbose) System.err.println(&quot;Unable to connect to weirdhost3.customer, connecting to weirdhost3-1.customer instead&quot;); host = &quot;weirdhost3-1.customer&quot;; }} Examples
  32. 33. <ul><li>Use jumpstation (SSH in SSH tunelling) </li></ul>if (host.equals(&quot;weirdhost5.customer&quot;)) { parent = getAuthenticatedSSHConnection(myuser, “gw.customer”, 22, parent, auth); } <ul><li>Additionaly you can create “virtual hostnames” by adding
  33. 34. host = “192.168.2.3”; </li></ul>Examples
  34. 35. <ul><li>Security policy denies direct root logins
  35. 36. In getAuthenticatedSSHConnection()
  36. 37. if (host.equals(&quot;weirdhost.customer4&quot;) && user.equals(&quot;root&quot;))
  37. 38. user = &quot;digmia&quot;;
  38. 39. In getInteractiveSession() </li></ul>if (host.equals(&quot;weirdhost.customer4&quot;) && user.equals(&quot;root&quot;) return new InteractiveSuSession(conn.openSession(), host, username, pass); Examples
  39. 40. <ul><li>Collect configurations from Cisco routers </li></ul>for i in `cat dsshhostlist-cisco` do echo &quot;Downloading configuration from $i&quot; echo term len 0 $'n' sh run $'n' exit | /usr/local/bin/dssh -k cisco/known_hosts ena@$i | sed -n '/^[!]/,/^end/p' > cisco/$i done Examples
  40. 41. Documentation and license <ul><li>Currently GPLv2 </li><ul><li>We consider to switching to less strict license (BSD) </li></ul><li>Documentation with examples available online
  41. 42. Download at http://opensource.digmia.com/ </li></ul>
  42. 43. Future <ul><li>Creating “DSSH server” </li><ul><li>Standalone mode still possible
  43. 44. Lightweight client (possibly in Python) </li><ul><li>Faster start-up times
  44. 45. Very little actual functionality </li><ul><li>Possible to quickly steal terminal emulation from Putty and allow “xterm”-less Windows client </li></ul><li>SSL + certificates </li></ul></ul></ul>
  45. 46. Future <ul><ul><li>Server allows additional features </li><ul><li>Client never sees credentials
  46. 47. Server can check ACLs
  47. 48. Revoke certificates (no need to change all passwords, although this is scriptable thanks to DSSH :) </li></ul><li>DSSH server side auditing </li><ul><li>DSSH server sees into connections (even forwarded ones)
  48. 49. Logging of file transfers, port forwards, console, ... </li></ul></ul><li>Server can be clustered (very little state information, this is really easy) </li></ul>
  49. 50. Future <ul><li>Admins never see credentials </li><ul><li>No password leaks nor key leaks
  50. 51. SSL certificates can be revoked and exchanged easily </li></ul><li>Admins sometimes have to see credentials anyway (console root login to broken server) </li><ul><li>Portal to request password and provide explanation
  51. 52. Automatically creates ticket to change password in trouble ticketing system </li></ul><li>SOCKS proxy -D (currently supports only -L a -R port forwarding) </li></ul>
  52. 53. Future <ul><li>Central server key authority </li><ul><li>known_hosts idea is a main failure
  53. 54. Key never “just changes”, someone has to approve
  54. 55. Configurable policy, that does not ask the administrator, but just drops the connection </li></ul></ul>
  55. 56. New architecture
  56. 57. Questions? <ul><li>Working on it right now </li><ul><li>Q1-Q2 2011
  57. 58. You can help and shape the future of DSSH! </li></ul><li>Questions? </li><ul><li>(and possibly some answers) </li></ul></ul>

×