diff --git a/tsshbatch.rst b/tsshbatch.rst index 9c26b36..ead0b32 100644 --- a/tsshbatch.rst +++ b/tsshbatch.rst @@ -92,10 +92,111 @@ 2) Authentication Using Name And Password + The simplest way to use ``tsshbatch`` is to just name the servers + can command you want to run:: + + tsshbatch.py linux-prod-servers uptime + + You will be promted for your username and password one time + which ``tsshbatch`` will then use to log into each of the + machines named in ``linux-prod-servers``. (*Notice that + his assumes your name and password are the same on each + server!*) + + Typing in your login credentials all the time can get tedious after + awhile so ``tsshbatch`` provides a means of providing them on the + command line:: + + tsshbatch.py -n joe.luser -p my_weak_pw linux-prod-servers uptime + + This allows you to use ``tsshbatch`` inside scripts for hands-free + operation. + + If your login name is the same on all servers, you can simplify + this further by defining it in the environment variable:: + + export TSSHBATCH="-n joe.luser" + + Any subsequent invocation of ``tsshbatch`` will only require a + password to run. + + HOWEVER, there is a huge downside to this - your plain text + password is exposed in your scripts, on the command line, and + possibly your command history. This is a pretty big security hole, + especially if you're an administrator with extensive privileges. + (This is why the ``ssh`` program does not support such an option.) + For this reason, it is strongly recommended that you use the ``-p`` + option sparingly, or not at all. A better way is to push ssh keys + to every machine and use key exchange authentication as described + below. + + However, there are times when you do have use an explicit password, + such as when doing ``sudo`` invocations. It would be really nice + to use ``-p`` and avoid having to constantly type in the password. + There are two strategies for doing this more securely than just + entering it in plain text on the command line: + + - Temporarily store it in the environment variable:: + + export TSSHBATCH="-n joe.luser -p my_weak_pw" + + Do this *interactively* after you log in, not from + a script (otherwise you'd just be storing the plain text + password in a different script). The environment variable + will persist as long as you're logged in and disappear + when you log out. + + If you use this just make sure to observe three security + precautions: + + 1) Clear your screen immediately after doing this so no one + walking by can see the password you just entered. + + 2) Configure your shell history system to ignore + commands beginning with ``export TSSHBATCH``. That + way your plain text password will never appear in + the shell command history. + + 3) Make sure you don't leave a logged in session unlocked so + that other users could walk up and see your password by + displaying the environment. + This approach is best when you want your login credentials + available for the duration of an *entire login session*. + + - Store your password in an encrypted file and decrypt it + inline. + + First, you have to store your password in an encrypted format. + There are several ways to do this, but ``gpg`` is commonly + used:: + + echo "my_weak_pw" | gpg -c >mysecretpw + + Provide a decrypt passphrase, and you're done. + + Now, you can use this by decrypting it inline as needed:: + + #!/bin/sh + # A demo scripted use of tsshbatch with CLI password passing + + MYPW=`cat mysecretpw | gpg` # User will be prompted for unlock passphrase + + sshbatch.py -n joe.luser -p $MYPW hostlist1 command1 arg + sshbatch.py -n joe.luser -p $MYPW hostlist2 command2 arg + sshbatch.py -n joe.luser -p $MYPW hostlist3 command3 arg + + This approach is best when you want your login credentials + available for the duration of *the execution of a script*. It + does require the user to type in a passphrase to unlock the + encrypted password file, but your plain text password never + appears in the wild. + 3) Authentication Using Key Exchange + + 4) Executing A ``sudo`` Command - Forces luser to type in pw @@ -141,7 +242,7 @@ :: - $Id: tsshbatch.rst,v 1.102 2011/12/30 16:53:02 tundra Exp $ + $Id: tsshbatch.rst,v 1.103 2011/12/30 17:56:25 tundra Exp $ You can find the latest version of this program at: