http://www.politiker-stopp.de/gfx/politiker-stopp-print.png

Benjamin Schieder

MAKING CLUSTERSSH / CSSH WORK WITH SSHRELAYS LIKE NETIQ PUM

2014 April 09 | 0 comments

I just absolutely hate bad software. Really, really, really HATE it. Yes, I’ve written bad software myself. Yes, there’s no objective measurement on what is bad software. I define bad software as software that doesn’t do what one would expect it to do.

With that definition, let’s look at clusterssh. clusterssh is a ssh wrapper where you can send input to multiple ssh sessions at once. For example, you could do:

cssh host1 host2 host3

and get three windows with the ssh connections to host1, host2 and host3 respectively and a fourth window with an input field for input to send to all three hosts at once. Nice.

BUT! (You know there had to be a but, right)

If you also have NetIQ PUM (Privileged User Manager) deployed - PUM is in its simplest form a ssh relay server - you can not connect to the target hosts directly, but need to go over a relay server. For example:

[blindcoder@flora:~]$ ssh pum-fwmgr 
blindcoder@pum-fwmgr's password: 
1) GH-dev-0xbad1dea-root - root@pum-fwmgr
2) GH-dev-0xbad1dea-root - root@pum-clnt-sles
Enter option (1-2): 2
root@pum-clnt-sles:~#

You can also hop to the target host directly like this:

[blindcoder@flora:~]$ ssh pum-fwmgr root@pum-clnt-sles
blindcoder@pum-fwmgr's password: 
root@pum-clnt-sles:~#

Nice and simple, right? So the logical next step would be to call cssh like this:

cssh "pum-fwmgr root@pum-clnt-sles"

Unfortunately, cssh mangles the parameter if it detects an @ in there and the call to ssh ends up being

ssh -l pum-fwmgr
root pum-fwmgr

which is as useless as it seems to be.

To mitigate this problem, I had to patch ClusterSSH/Helper.pm like this:

--- Helper.pm	2014-04-09 12:44:22.217264112 +0200
+++ Helper.pm	2014-04-09 12:44:18.889260645 +0200
@@ -108,19 +108,20 @@
                    \$command .= \$mstr;
                }
            }
-           if(\$user) {
-               unless("$comms" eq "telnet") {
-                   \$user = \$user ? "-l \$user " : "";
-                   \$command .= \$user;
-               }
-           }
+					 #if(\$user) {
+							 #unless("$comms" eq "telnet") {
+									 #\$user = \$user ? "-l \$user " : "";
+									 #\$user = \$user ? " \$user\\\@\$svr " : "";
+									 #\$command .= \$user;
+							 #}
+					 #}
            if("$comms" eq "telnet") {
                \$command .= "\$svr \$port";
            } else {
                if (\$port) {
-                   \$command .= "-p \$port \$svr";
+                   \$command .= "-p \$port \$user\\\@\$svr";
                } else {
-                 \$command .= "\$svr";
+                 \$command .= "\$user\\\@\$svr";
                }
            }
            if("$config_command") {

EOF

Category:

Tags: cssh netiq pum


Post a comment

All comments are held for moderation; basic HTML formatting is accepted.

Name: (required)
E-mail: (required, not published)
Website: (optional)
Comment: