tsshbatch - Run Commands On Batches Of Machines
tsshbatch.py [-ehvk] [-n name] [-p pw] [-H 'h1 h2 ...' | hostlistfile] command arg ...
tsshbatch is a tool to enable you to issue a command to many
hosts without having to log into each one separately. When writing
scripts, this overcomes the
ssh limitation of not being able to
specify the password on the command line.
tsshbatch also understands basic
sudo syntax and can be used
to access a host,
sudo a command, and then exit.
tsshbatch thus allows you to write complex, hands-off scripts that
issue commands to many hosts without the tedium of manual login and
sudo promotion. System administrators, especially, will find this
helpful when working in large host farms.
-H 'hostlist' Single quoted list of hosts on which to run the command
||Don't report remote host stderr output
||Print help information
||Use ssh keys instead of name/password credentials
||Login name to use
||Password to use when logging in and/or doing sudo
||Print detailed program version information and exit
tsshbatch respects the
TSSHBATCH environment variable. You
may set this variable with any options above you commonly use to avoid
having to key them in each time you run the program. For example:
export TSSHBATCH="-n jluser -p l00n3y"
This would cause all subsequent invocations of
attempt to use the login name/password credentials of
Different Ways To Specify Targeted Hostnames
There are two ways to specify the list of hosts on which you want
to run the specified command:
On the command line via the
tsshbatch.py -H 'hostA hostB' uname -a
This would run the command
uname -a on the
Notice that the list of hosts must be separated by spaces but
passed as a single argument. Hence we enclose them in single
Via a host list file:
tsshbatch.py myhosts df -Ph
tsshbatch expects the file
myhosts to contain a
list of hosts, one per line, on which to run the command
-Ph. As an example, if you want to target the hosts
myhosts would look
This method is handy when there are standard "sets" of hosts
on which you regularly work. For instance, you may wish to
keep a host file lis for each of your production hosts, each
of your test hosts, each of your AIX hosts, and so on.
Authentication Using Name And Password
The simplest way to use
tsshbatch is to just name the hosts
can command you want to run:
tsshbatch.py linux-prod-hosts uptime
You will be promted for your username and password one time
tsshbatch will then use to log into each of the
machines named in
linux-prod-hosts. (Notice that
his assumes your name and password are the same on each
Typing in your login credentials all the time can get tedious after
tsshbatch provides a means of providing them on the
tsshbatch.py -n joe.luser -p my_weak_pw linux-prod-hosts uptime
This allows you to use
tsshbatch inside scripts for hands-free
If your login name is the same on all hosts, you can simplify
this further by defining it in the environment variable:
export TSSHBATCH="-n joe.luser"
Any subsequent invocation of
tsshbatch will only require a
password to run.
HOWEVER, there is a huge downside to this - your plain text
password is exposed in your scripts, on the command line, and
possibly your command history. This is a pretty big security hole,
especially if you're an administrator with extensive privileges.
(This is why the
ssh program does not support such an option.)
For this reason, it is strongly recommended that you use the
option sparingly, or not at all. A better way is to push ssh keys
to every machine and use key exchange authentication as described
However, there are times when you do have use an explicit password,
such as when doing
sudo invocations. It would be really nice
-p and avoid having to constantly type in the password.
There are two strategies for doing this more securely than just
entering it in plain text on the command line:
Temporarily store it in the environment variable:
export TSSHBATCH="-n joe.luser -p my_weak_pw"
Do this interactively after you log in, not from
a script (otherwise you'd just be storing the plain text
password in a different script). The environment variable
will persist as long as you're logged in and disappear
when you log out.
If you use this just make sure to observe three security
- Clear your screen immediately after doing this so no one
walking by can see the password you just entered.
- Configure your shell history system to ignore
commands beginning with
export TSSHBATCH. That
way your plain text password will never appear in
the shell command history.
- Make sure you don't leave a logged in session unlocked so
that other users could walk up and see your password by
displaying the environment.
This approach is best when you want your login credentials
available for the duration of an entire login session.
Store your password in an encrypted file and decrypt it
First, you have to store your password in an encrypted format.
There are several ways to do this, but
gpg is commonly
echo "my_weak_pw" | gpg -c >mysecretpw
Provide a decrypt passphrase, and you're done.
Now, you can use this by decrypting it inline as needed:
# A demo scripted use of tsshbatch with CLI password passing
MYPW=`cat mysecretpw | gpg` # User will be prompted for unlock passphrase
sshbatch.py -n joe.luser -p $MYPW hostlist1 command1 arg
sshbatch.py -n joe.luser -p $MYPW hostlist2 command2 arg
sshbatch.py -n joe.luser -p $MYPW hostlist3 command3 arg
This approach is best when you want your login credentials
available for the duration of the execution of a script. It
does require the user to type in a passphrase to unlock the
encrypted password file, but your plain text password never
appears in the wild.
Authentication Using Key Exchange
For most applications of
tsshbatch, it is much simpler to use
key-based authentication. For this to work, you must first have
pushed ssh keys to all your hosts. You then instruct
to use key-based authentication rather than name and password. Not
only does this elimintate the need to constantly provide name and
passowrd, it also eliminates passing a plain text password on the
command line and is thus far more secure. This also overcomes the
problem of having different name/password credentials on different
tsshbatch will prompt for name and password
if they are not provided on the command line. To force key-based
authentication, use the
tsshbatch.py -k AIX-prod-hosts ls -al
tsshbatch is smart enough to handle commands that begin
sudo. It knows that such commands require a password
even if you used key exchange to intially log in. That's because,
once you are logged in - whether via name/password or via key
sudo requires your password again to promote
When using name/password authentication, with
need do nothing special to run
sudo commands on your targeted
hosts (assuming you have the privilege of doing so there).
However, when using key exchange-based authentication, if you want
sudo commands, you will also have to provide a
password by one of the means described previously. That's
because, once you are logged into a host, your password is required
again to do
sudo privilege promotion.
You must have a reasonably current version of Python installed. If
your Python installation does not install
paramiko you'll have to
install it manually, since
tsshbatch requires these libraries.
BUGS AND MISFEATURES
sudo is presented a bad password, it ordinarily prints a
string indicating something is wrong.
tsshbatch looks for this to
let you know that you've got a problem and then terminates further
operation. This is so that you do not attempt to log in with a bad
password across all the servers you have targeted. (Many enterprises
have policies to lock out a user ID after some small number of failed
However, some older versions of
sudo (noted on a RHEL 4 server
sudo 1.6.7p5) do not return any feedback when presented
with a bad password. This means that
tsshbatch cannot tell the
difference between a successful
sudo and a system waiting for you
to reenter a proper password. In this situation, if you enter a bad
password, the the program will hang. Why?
nothing is wrong and waits for the
sudo command to complete. At
the same time,
sudo itself is waiting for an updated password. In
this case, you have to kill
tsshbatch and start over. This
typically requires you to put the program in background (
in most shells) and then killing that job from the command line.
There is no known workaround for this problem.
COPYRIGHT AND LICENSING
tsshbatch is Copyright (c) 2011 TundraWare Inc.
tsshbatch-license.txt file in the
program distribution. If you install tsshbatch on a FreeBSD
system using the 'ports' mechanism, you will also find this file in
DOCUMENT REVISION INFORMATION
$Id: tsshbatch.rst,v 1.107 2012/01/05 19:07:23 tundra Exp $
You can find the latest version of this program at: