You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@vcl.apache.org by ar...@apache.org on 2009/10/17 00:04:04 UTC
svn commit: r826104 - in /incubator/vcl/trunk/managementnode/bin:
cygwin-sshd-config.sh gen-node-key.sh
Author: arkurth
Date: Fri Oct 16 22:04:04 2009
New Revision: 826104
URL: http://svn.apache.org/viewvc?rev=826104&view=rev
Log:
VCL-164
Reworked cygwin-sshd-config.sh and gen-node-key.sh to make Windows base image creation easier. Added some steps to make the scripts more robust to correct problems which would prevent SSH authentication from a management node to a Windows computer using an identity key. Added comments. Set Subversion properties on these scripts.
Modified:
incubator/vcl/trunk/managementnode/bin/cygwin-sshd-config.sh (contents, props changed)
incubator/vcl/trunk/managementnode/bin/gen-node-key.sh (contents, props changed)
Modified: incubator/vcl/trunk/managementnode/bin/cygwin-sshd-config.sh
URL: http://svn.apache.org/viewvc/incubator/vcl/trunk/managementnode/bin/cygwin-sshd-config.sh?rev=826104&r1=826103&r2=826104&view=diff
==============================================================================
--- incubator/vcl/trunk/managementnode/bin/cygwin-sshd-config.sh (original)
+++ incubator/vcl/trunk/managementnode/bin/cygwin-sshd-config.sh Fri Oct 16 22:04:04 2009
@@ -1,6 +1,7 @@
-##############################################################################
-# $Id: $
-##############################################################################
+#!/bin/bash
+###############################################################################
+# $Id$
+###############################################################################
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
@@ -17,35 +18,18 @@
# limitations under the License.
###############################################################################
# DESCRIPTION
-# Configures the Cygwin SSHD service installed in a Windows image.
+# Configures the Cygwin SSHD service installed on a Windows computer.
# Cygwin and the sshd component must be installed prior to running this script.
-# This script should be run on a node which has been installed with a base
-# image. After running this script, gen-node-key.sh should be run on a
-# management node.
-# This script does the following:
-# * Stops any running sshd processes and servicies
-# * Deletes an existing sshd user account if it exists
-# * Deletes existing /etc/ssh* files
-# * Sets the correct owner and permissions on several files and directories
-# * Recreates the /etc/passwd and /etc/group files
-# * Configures the correct system mount points
-# * Runs ssh-host-config
-# * Sets the following options in /etc/sshd_config:
-# LogLevel=VERBOSE
-# MaxAuthTries=12
-# PasswordAuthentication=yes
-# Banner=none
-# UsePrivilegeSeparation=yes
-# StrictModes=no
-# LoginGraceTime=10
-# Compression=no
-# * Configures the sshd service to log to /var/log/sshd.log
-# * Grants the log on as a service permission to root
-# * Configures the sshd service to run as root
-# * Configures the firewall to allow port 22
-# * Starts the sshd service
-
-# -----------------------------------------------------------------------------
+# This script must be run as root on the Windows computer. The root account's
+# password must be supplied as the 1st and only argument to this script. Enclose
+# the password in single quotes if it contains special characters. After this
+# script completes successfully, the sshd service should be running on the
+# Windows computer. After running this script, gen-node-key.sh must be run on a
+# management node with the Windows computer's hostname or IP address specified as the 1st
+# argument. This will copy root's public SSH identity key to the
+# authorized_hosts file on the Windows computer and disable password
+# authentication.
+###############################################################################
# Name : set_config
# Parameters : [config_file] [keyword] [value]
# Returns : always 1
@@ -73,117 +57,194 @@
echo Setting $keyword to $value in $config_file
sed -i -r -e "s/^[ #]*($keyword).*/\1 $value/" $config_file
grep -i -r "^[ #]*$keyword" $config_file
- echo ----------
+ print_hr
return 1;
}
-# -----------------------------------------------------------------------------
+#------------------------------------------------------------------------------
+function print_hr {
+ echo "----------------------------------------------------------------------"
+}
+#------------------------------------------------------------------------------
+function help {
+ print_hr
+ echo "Usage: $0 '<root password>'"
+ print_hr
+ exit 1
+}
+
+#------------------------------------------------------------------------------
+function die {
+ exit_status=$?
+ message=$1
+
+ print_hr
+ echo "ERROR: ($exit_status)"
+
+ if [ "$message" != "" ]
+ then
+ echo $message
+ fi
+
+ print_hr
+ exit 1
+}
+
+###############################################################################
+# Get the Windows root account password argument
if [ $# -ne 1 ]
then
- echo "Usage: $0 '<root password>'"
- exit 1
+ help
fi
PASSWORD=$1
+print_hr
+
+# Stop and kill all sshd processes
echo Stopping sshd service if it is running
net stop sshd 2>/dev/null
-echo ----------
+print_hr
+echo Killing any sshd.exe processes
+taskkill.exe /IM sshd.exe /F 2>/dev/null
+print_hr
+
+echo Killing any cygrunsrv.exe processes
+taskkill.exe /IM cygrunsrv.exe /F 2>/dev/null
+print_hr
+
+# Delete the sshd service if it already exists
echo Deleting sshd service if it already exists
$SYSTEMROOT/system32/sc.exe delete sshd
-echo ----------
+print_hr
+
+# Make sure sshd service registry key is gone
+# sc.exe may have set a pending deletion registry key under sshd
+# This prevents the service from being reinstalled
+echo Deleting sshd service registry key
+reg.exe DELETE 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sshd' /f
+print_hr
+# Delete sshd user, a new account will be created
echo Deleting the sshd user if it already exists
net user sshd /DELETE
-echo ----------
+print_hr
+# Delete any existing ssh configuration or key files
echo Deleting '/etc/ssh*'
rm -fv /etc/ssh*
-echo ----------
+print_hr
+# Delete existing ssh log file
echo Deleting /var/log/sshd.log if it exists
rm -fv /var/log/sshd.log
-echo ----------
+print_hr
+# ssh-host-config requires several permissions to be set in order for it to complete
echo Setting root:Administrators as owner of '/etc' and '/var'
chown -R root:Administrators /etc /var
-echo ----------
+print_hr
echo Adding ug+rwx permissions to '/etc' and '/var'
chmod -v ug+rwx /etc /var
-echo ----------
+print_hr
echo Adding read permission on /etc/passwd and /etc/group
chmod -v +r /etc/passwd /etc/group
-echo ----------
+print_hr
echo Adding ug+w permission on /etc/passwd and /etc/group
chmod -v ug+w /etc/passwd /etc/group
-echo ----------
+print_hr
+# Recreate Cygwin's group and passwd files so they match current computer accounts
echo Recreating /etc/group
mkgroup -l > /etc/group
-echo ----------
+if [ $? -ne 0 ]; then die "failed to recreate /etc/group"; fi;
+print_hr
echo Recreating /etc/passwd
mkpasswd -l > /etc/passwd
-echo ----------
+if [ $? -ne 0 ]; then die "failed to recreate /etc/passwd"; fi;
+print_hr
+# ssh-host-config will fail if the mount points are configured as user instead of system
echo Configuring mount points
-umount -u /usr/bin 2>/dev/nul
+umount -u /usr/bin 2>/dev/null
mount -f -s -b C:/cygwin/bin /usr/bin
-umount -u /usr/lib 2>/dev/nul
+umount -u /usr/lib 2>/dev/null
mount -f -s -b C:/cygwin/lib /usr/lib
-umount -u / 2>/dev/nul
+umount -u / 2>/dev/null
mount -f -s -b C:/cygwin /
-echo ----------
+print_hr
echo Adding execute permission on /var
chmod -v +x /var
-echo ----------
+print_hr
+# Delete existing SSH settings and files in root's home directory
+echo Deleting /home/root/.ssh directory if it exists
+rm -rfv /home/root/.ssh
+print_hr
+
+# Run ssh-user-config, this creates the .ssh directory in root's home directory
+echo Running ssh-user-config
+ssh-user-config -n
+if [ $? -ne 0 ]; then die "failed to run ssh-host-config"; fi;
+print_hr
+
+# Make sure root owns everything in its home directory
+echo Setting root:None as the owner of /home/root
+chown -R root:None /home/root
+print_hr
+
+# Run ssh-host-config, this is the main sshd service configuration utility
echo Running ssh-host-config
-ssh-host-config -y
-echo ----------
+ssh-host-config -y -c ntsec -w "$PASSWORD"
+if [ $? -ne 0 ]; then die "failed to run ssh-host-config"; fi;
+print_hr
+# sshd service requires some directories under /var to be configured as follows in order to start
echo Creating /var/empty directory if it does not exist
mkdir /var/empty 2>/dev/NULL
-echo ----------
+print_hr
echo Setting root:Administrators as owner of /var/empty
chown -Rv root:Administrators /var/empty
-echo ----------
+print_hr
echo Setting permissions to 755 on /var/empty
chmod -Rv 755 /var/empty
-echo ----------
+print_hr
echo Setting permissions to 775 on /var/log
chmod -Rv 775 /var/log
-echo ----------
+print_hr
echo Creating /var/log/sshd.log file if it does not exist
touch /var/log/sshd.log
-echo ----------
+print_hr
echo Setting root:Administrators as owner of '/etc/ssh*' and /var/log/sshd.log
chown -Rv root:Administrators /etc/ssh* /var/log/sshd.log
-echo ----------
+print_hr
echo Setting permissions to ug+rw on '/etc/ssh*' and /var/log/sshd.log
chmod -Rv ug+rw /etc/ssh* /var/log/sshd.log
-echo ----------
+print_hr
+# Make sure host key permissions are correct
echo Setting permissions to 600 on '/etc/ssh*key'
chmod -v 600 /etc/ssh*key
-echo ----------
+print_hr
echo Setting permissions to ug+rwx on /etc
chmod -v ug+rwx /etc
-echo ----------
+print_hr
+# Configure the sshd_config file
echo Configuring /etc/sshd_config
set_config '/etc/sshd_config' 'LogLevel' 'VERBOSE'
set_config '/etc/sshd_config' 'MaxAuthTries' '12'
@@ -191,17 +252,25 @@
set_config '/etc/sshd_config' 'Banner' 'none'
set_config '/etc/sshd_config' 'UsePrivilegeSeparation' 'yes'
set_config '/etc/sshd_config' 'StrictModes' 'no'
-set_config '/etc/sshd_config' 'LoginGraceTime' '10'
+set_config '/etc/sshd_config' 'LoginGraceTime' '30'
set_config '/etc/sshd_config' 'Compression' 'no'
+set_config '/etc/sshd_config' 'IgnoreUserKnownHosts' 'yes'
+set_config '/etc/sshd_config' 'PrintLastLog' 'no'
+set_config '/etc/sshd_config' 'RSAAuthentication' 'no'
+set_config '/etc/sshd_config' 'UseDNS' 'no'
+set_config '/etc/sshd_config' 'PermitRootLogin' 'no'
+# Add switches to the sshd service startup command so that it logs to a file
echo Configuring the sshd service to log to /var/log/sshd.log
reg.exe ADD "HKLM\SYSTEM\CurrentControlSet\Services\sshd\Parameters" /v AppArgs /d "-D -e" /t REG_SZ /f
-echo ----------
+print_hr
+# Configure the sshd service to run as root
echo Configuring the sshd service to use the root account: $PASSWORD
$SYSTEMROOT/system32/sc.exe config sshd obj= ".\root" password= "$PASSWORD"
-echo ----------
+print_hr
+# Run secedit.exe to grant root the right to logon as a service
# Assemble the paths secedit needs
secedit_exe="C:\\WINDOWS\\system32\\secedit.exe"
secedit_inf='C:\\WINDOWS\\security\\templates\\root_logon_service.inf'
@@ -217,22 +286,32 @@
signature="\$WINDOWS NT\$"
EOF
+# Make sure security .inf file is formatted for DOS
unix2dos $secedit_inf
echo Running secedit.exe to grant root the right to logon as a service
cmd.exe /c $secedit_exe /configure /cfg "$secedit_inf" /db $secedit_db /log $secedit_log /verbose
-echo ----------
+print_hr
-echo Configuring firewall port 22 exception
+# Create firewall exception for sshd TCP port 22 traffic
+echo Configuring sshd firewall port 22 exception
netsh firewall set portopening name = "Cygwin SSHD" protocol = TCP port = 22 mode = ENABLE profile = ALL scope = ALL
-echo ----------
+if [ $? -ne 0 ]; then die "failed to configure sshd firewall port 22 exception"; fi;
+print_hr
echo Starting the sshd service
net start sshd
-echo ----------
+if [ $? -ne 0 ]; then die "failed to starting the sshd service"; fi;
+print_hr
+# Print the end of the sshd.log file, this is only for debugging
echo /var/log/sshd.log ending:
tail -n 10 /var/log/sshd.log
-echo ----------
+print_hr
+
+echo "SUCCESS: $0 done."
+echo
+echo "IMPORTANT! Now run gen-node-key.sh on the management node,"
+echo "specify this computer's hostname or IP address as the 1st argument."
-echo Done
+exit 0
Propchange: incubator/vcl/trunk/managementnode/bin/cygwin-sshd-config.sh
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: incubator/vcl/trunk/managementnode/bin/cygwin-sshd-config.sh
------------------------------------------------------------------------------
svn:executable = *
Propchange: incubator/vcl/trunk/managementnode/bin/cygwin-sshd-config.sh
------------------------------------------------------------------------------
svn:keywords = Date Revision Author HeadURL Id
Modified: incubator/vcl/trunk/managementnode/bin/gen-node-key.sh
URL: http://svn.apache.org/viewvc/incubator/vcl/trunk/managementnode/bin/gen-node-key.sh?rev=826104&r1=826103&r2=826104&view=diff
==============================================================================
--- incubator/vcl/trunk/managementnode/bin/gen-node-key.sh (original)
+++ incubator/vcl/trunk/managementnode/bin/gen-node-key.sh Fri Oct 16 22:04:04 2009
@@ -1,6 +1,7 @@
-##############################################################################
-# $Id: $
-##############################################################################
+#!/bin/bash
+###############################################################################
+# $Id$
+###############################################################################
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
@@ -17,84 +18,134 @@
# limitations under the License.
###############################################################################
# DESCRIPTION
-# Configures a VCL management node to be able to control a remote node using SSH
-# keys. The IP address or hostname of a remote node which has already been
-# configured to respond to SSH must be supplied as an argument. This script does
-# the following:
-# * Generates an 1024 bit RSA SSH public/private key pair if it doesn't already
-# exist. Location:
-# Private key: /etc/vcl/vcl.key
-# Public key: /etc/vcl/vcl.key.pub
-# * Configures the ssh_config file on the management node to use the following
-# options:
-# StrictHostKeyChecking=no
-# * Removes any existing entries in the known_hosts file for the node specified
-# * Adds the current host key of the node specified to the known_hosts file
-# * Adds the vcl.key.pub public key to the authorized_keys file on the specified
-# host
-# * Configures the sshd_config file on the specified host with the following
-# options:
-# PermitRootLogin=no
-# PasswordAuthentication=no
-# * Restarts the sshd service on the specified node
+# Configures the root account on a VCL management node to be able to log on to a
+# Windows computer via SSH using an identity key. The IP address or hostname of
+# the Windows computer must be supplied as the first argument. An SSH private
+# key path can optionally be specified as the 2nd argument. If the 2nd argument
+# isn't supplied, the SSH identity key file used is /etc/vcl/vcl.key. The SSH
+# identity key files will be created if they don't already exist. Enter the
+# Windows computer's root accounts password when prompted.
+###############################################################################
+function print_hr {
+ echo "----------------------------------------------------------------------"
+}
+
+#------------------------------------------------------------------------------
+function help {
+ print_hr
+ echo "Usage:"
+ echo "$0 <IP or hostname> [SSH identity key path]"
+ print_hr
+ exit 1
+}
+
+#------------------------------------------------------------------------------
+function die {
+ message=$1
+
+ print_hr
+ echo "ERROR:"
+
+ if [ "$message" != "" ]
+ then
+ echo $message
+ fi
+
+ print_hr
+ exit 1
+}
-if [ $# -ne 1 ]
+###############################################################################
+# Get the arguments
+if [ $# == 0 -o $# -gt 2 ];
then
- echo "Usage: $0 <node>"
- exit 1
+ help
fi
NODE=$1
+KEY_PATH=$2
+
+# Make sure root is running this script
+if [ `env |grep -ic "^USERNAME=root$"` -ne 1 ];
+then
+ die "this script must be run as root"
+fi
+
+SSH_OPTIONS="-o CheckHostIP=no -o StrictHostKeyChecking=no -o BatchMode=no"
+
+print_hr
+
+# Set the default key path if argument not specified
+if [ "$KEY_PATH" == "" ]
+then
+ KEY_PATH='/etc/vcl/vcl.key'
+ echo Using default SSH identity key path: $KEY_PATH
+else
+ echo Using specified SSH identity key path: $KEY_PATH
+fi
# Check if vcl.key already exists, create it if it doesn't
-echo ----------
-if [ -f '/etc/vcl/vcl.key' ];
+print_hr
+if [ -f "$KEY_PATH" ];
then
- echo SSH key already exists on this management node: '/etc/vcl/vcl.key'
+ echo SSH key already exists on this management node: "$KEY_PATH"
else
- echo Creating SSH keys on management node: '/etc/vcl/vcl.key(.pub)'
- mkdir -p /etc/vcl
- ssh-keygen -t rsa -f /etc/vcl/vcl.key -N '' -b 1024 -C 'root on VCL management node'
- echo "IdentityFile /etc/vcl/vcl.key" >> /etc/ssh/ssh_config
-fi
-echo ----------
-
-echo Setting StrictHostKeyChecking to no in ssh_config on this management node
-sed -i -r -e "s/^[ #]*(StrictHostKeyChecking).*/\1 no/" /etc/ssh/ssh_config
-grep -i -r "^[ #]*StrictHostKeyChecking" /etc/ssh/ssh_config
-echo ----------
+ echo Creating SSH keys on management node: "$KEY_PATH"
+ ssh-keygen -t rsa -f "$KEY_PATH" -N '' -b 1024 -C 'VCL root account'
+ if [ $? -ne 0 ]; then die "failed to generate SSH keys"; fi;
+ echo "IdentityFile $KEY_PATH" >> /etc/ssh/ssh_config
+fi
+print_hr
# Remove existing entries for the node from known_hosts for the node specified by the argument
-if [ `grep -ic $NODE /root/.ssh/known_hosts` -ne 0 ];
+if [ `grep -ic "^$NODE " /root/.ssh/known_hosts` -ne 0 ];
then
echo Removing $C entries for $NODE from '/root/.ssh/known_hosts'
- sed -i -r -e "s/.*$NODE.*//" /root/.ssh/known_hosts
+ sed -i -r -e "s/^$NODE .*//" /root/.ssh/known_hosts
else
echo Entry does not exist for $NODE in '/root/.ssh/known_hosts'
fi
-echo ----------
+print_hr
-echo Scanning host key for $NODE and adding it to '/root/.ssh/known_hosts'
-ssh-keyscan -t rsa $NODE >> /root/.ssh/known_hosts
+# Remove existing entries for the node from xCAT gkh file
+if [ `grep -ic "^$NODE " /opt/xcat/etc/gkh` -ne 0 ];
+then
+ echo Removing $C entries for $NODE from '/opt/xcat/etc/gkh'
+ sed -i -r -e "s/^$NODE .*//" /opt/xcat/etc/gkh
+else
+ echo Entry does not exist for $NODE in '/opt/xcat/etc/gkh'
+fi
+print_hr
-echo Copying public key to authorized_keys on $NODE
-ssh-copy-id -i /etc/vcl/vcl.key.pub $NODE
-echo ----------
+# Add the node's key to the known hosts file
+which makesshgkh
+if [ $? == 0 ];
+then
+ echo Running xCAT makesshgkh utility for $NODE
+ makesshgkh $NODE
+else
+ echo Scanning host key for $NODE and adding it to '/root/.ssh/known_hosts'
+ ssh-keyscan -t rsa $NODE >> /root/.ssh/known_hosts
+fi
+print_hr
-echo Setting PermitRootLogin to no in sshd_config on $NODE
-ssh -i /etc/vcl/vcl.key root@$NODE 'sed -i -r -e "s/^[ #]*(PermitRootLogin).*/\1 no/" /etc/sshd_config'
-ssh -i /etc/vcl/vcl.key root@$NODE 'grep "^[ #]*PermitRootLogin" /etc/sshd_config'
-echo ----------
+echo Copying public key to authorized_keys on $NODE
+scp $SSH_OPTIONS $KEY_PATH.pub root@$NODE:.ssh/authorized_keys
+if [ $? -ne 0 ]; then die "failed to copy $KEY_PATH.pub to $NODE:.ssh/authorized_keys"; fi;
+print_hr
echo Setting PasswordAuthentication to no in sshd_config on $NODE
-ssh -i /etc/vcl/vcl.key root@$NODE 'sed -i -r -e "s/^[ #]*(PasswordAuthentication).*/\1 no/" /etc/sshd_config'
-ssh -i /etc/vcl/vcl.key root@$NODE 'grep "^[ #]*PasswordAuthentication" /etc/sshd_config'
-echo ----------
+ssh $SSH_OPTIONS -i $KEY_PATH root@$NODE 'sed -i -r -e "s/^[ #]*(PasswordAuthentication).*/\1 no/" /etc/sshd_config'
+ssh $SSH_OPTIONS -i $KEY_PATH root@$NODE 'grep "^[ #]*PasswordAuthentication" /etc/sshd_config'
+print_hr
echo Restarting the sshd service on $NODE
-ssh -i /etc/vcl/vcl.key root@$NODE 'net stop sshd ; net start sshd'
-echo ----------
-
-echo Done, the following command should work:
-echo "ssh -i /etc/vcl/vcl.key $NODE"
+ssh $SSH_OPTIONS -i $KEY_PATH root@$NODE 'net stop sshd ; net start sshd'
+if [ $? -ne 0 ]; then die "failed to restart the sshd service on $NODE"; fi;
+print_hr
+
+echo "SUCCESS: $0 done."
+echo
+echo "Try to run the following command, it should NOT prompt for a password:"
+echo "ssh $SSH_OPTIONS -i $KEY_PATH $NODE"
exit 0
\ No newline at end of file
Propchange: incubator/vcl/trunk/managementnode/bin/gen-node-key.sh
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: incubator/vcl/trunk/managementnode/bin/gen-node-key.sh
------------------------------------------------------------------------------
svn:executable = *
Propchange: incubator/vcl/trunk/managementnode/bin/gen-node-key.sh
------------------------------------------------------------------------------
svn:keywords = Date Revision Author HeadURL Id