[xwiki-devs] totally groovy! (using groovy SSH script to securely launch unix processes out of Xwiki)

This might be useful for those wanting to do server administration functions (start/stop tomcat, reboot, stats, etc) out of an Xwiki doc (make sure your doc is password protected or more, if it allows people to reboot your server!; Anything needing root or tomcat user would use /etc/sudoers to grant specfic permissions to specific programs needed by user tomcat-ssh-slave): Input: {{velocity}} #set( $sshHelper = $xwiki.parseGroovyFromPage("Groovy.SshHelperClass") ) $sshHelper.openSession("127.0.0.1", "22", "tomcat-ssh-slave", {{/velocity}} ##{{velocity}}$sshHelper.runCommand("uname -a"){{/velocity}}## ##{{velocity}}$sshHelper.runCommand("free"){{/velocity}}## ##{{velocity}}$sshHelper.runCommand("ps -l h U tomcat-ssh-slave U tomcat U ##{{velocity}}$sshHelper.runCommand("df -H"){{/velocity}}## ##{{velocity}}$sshHelper.runCommand("top -b -n 1"){{/velocity}}## warning: if something breaks above, hopefully this will get called otherwise get a left-over sub-process tomcat-ssh-slave ##{{velocity}}$sshHelper.close(){{/velocity}}## Output: Special Installation Instructions To make this run (Fedora Linux): 1. sudo yum install trilead-ssh2 trilead-ssh2-javadoc 2. sudo ln -s /usr/share/java/trilead-ssh2-213.jar /usr/share/java/tomcat6/trilead-ssh2.jar 3. Make sure "tomcat" user exists in /etc/passwd, and create an additional uid=92 gid=92 account "tomcat-ssh-slave": • tomcat:x:91:91:Apache Tomcat:/usr/share/tomcat6:/bin/sh ° "tomcat" user created as "disabled" by installing tomcat6-6.0.18-6.2.fc10 • tomcat-ssh-slave:x:92:92:User for SSH Subprocesses From Tomcat:/home/tomcat-ssh-slave:/bin/bash ° create this using fedora admin utility 'system-config-users' or by hand-editing /etc/passwd... 4. sudo passwd -u tomcat • unlock tomcat account temporarily 5. sudo passwd tomcat • set password for tomcat account 6. Login to "tomcat" account using SSH from current account terminal. 7. ssh-keygen -t dsa • Leave "empty for no passphrase" for decrypting the DSA-key produced by ssh-keygen, although it can be specified as last parameter for sshHelper.openSession("localhost", "22", "tomcat-ssh-slave", "/usr/share/tomcat6/.ssh/id_dsa", ""). 8. From the "tomcat" account, run "ssh tomcat-ssh-slave(a)127.0.0.1" • answer Yes: "Are you sure you want to continue connecting (yes/no)? yes" • enter password for tomcat-ssh-slave set above via system-config-users. • exit the connection. • The purpose of this step is to test the account, and init /usr/share/tomcat6/.ssh/known_hosts 9. sudo cp /usr/share/tomcat6/.ssh/id_dsa.pub tomcat-ssh-slave/.ssh/authorized_keys 10. From the "tomcat" account, do "ssh tomcat-ssh-slave(a)127.0.0.1" again • verify that login happens w/o password prompt, which is what happens when authorized_keys is set to the public key of the account accessing SSH. • exit from tomcat-ssh-slave account. It's now ready to run out of tomcat. 11. passwd -l tomcat • lock the tomcat account from further logins, now that it's been setup and the dsa public/private keys have been generated. 1. *TODO:* remove password from user tomcat-ssh-slave ('!!' in passwd field of /etc/shadow) password not needed for login 2. *TODO:* alternately, is there a local customization to ensure certs only used for login to the account? I know this can be done globally in /etc/ssh/sshd_config: "PasswordAuthentication no" and "PermitEmptyPasswords no" 3. *TODO:* for user tomcat-ssh-slave, integrate "limited command processing" by replacing /bin/sh as login shell with /usr/local/bin/tomcat-ssh-shell (or equiv): #!/bin/sh -noprofile ############################################################################### # # File: sshslave-shell # RCS: $Header: $ # Description: Shell to allow execution of remote commands from a tomcat server. # For security purposes, this "login" is limited in commands it can # perform, and runs as a separate user from the tomcat server, separating # the ability to directly modify tomcat state from the functionality provided # by user tomcat-ssh-slave. This shell is run as the "login shell" (via # /etc/passwd) for account tomcat-ssh-slave, which is accessed via SSH. # The account is preferably a nonprivileged user account with pid>500, Home # directory /home/tomcat-ssh-slave must exist, with correct permisssions. # /home/tomcat-ssh-slave contains scripts referred to via fully qualified # filenames in this script. The directory would also store the accounts' # .ssh settings, keys, etc. Secure, password-less access to the tomcat-ssh-slave # account can be achieved by having tomcat's SSH public identity /usr/share/tomcat6/.ssh/id_dsa.pub # installed as /home/tomcat-ssh-slave/.ssh/authorized_keys (and keeping id_dsa secret) # This would prevent use of tomcat-ssh-slave "account" from being used by anything # other than preauthorized accounts. # # Here's some example commands: # # ssh -x tomcat-ssh-slave(a)127.0.0.1 cleanlog # ssh -x tomcat-ssh-slave(a)127.0.0.1 getlog # ssh -x tomcat-ssh-slave(a)127.0.0.1 setdbglvl 'INFO' # ssh -x tomcat-ssh-slave(a)127.0.0.1 getdbglvl # ssh -x tomcat-ssh-slave(a)127.0.0.1 tomcat-restart # ssh -x tomcat-ssh-slave(a)127.0.0.1 apache-restart # ssh -x tomcat-ssh-slave(a)127.0.0.1 tomcat-start # ssh -x tomcat-ssh-slave(a)127.0.0.1 apache-start # ssh -x tomcat-ssh-slave(a)127.0.0.1 top # ssh -x tomcat-ssh-slave(a)127.0.0.1 ps # ssh -x tomcat-ssh-slave(a)127.0.0.1 df # ssh -x tomcat-ssh-slave(a)127.0.0.1 free # ssh -x tomcat-ssh-slave(a)127.0.0.1 reboot # Author: Niels P. Mayer # Created: Monday 8/10/2009 # Modified: # Language: Shell-script # Package: N/A # Status: Production # # (C) Copyright 2009, Niels Mayer, all rights reserved. # ############################################################################### # make sure nothing funny goes on PATH="/bin:/usr/bin" # make sure they rsh or ssh in with a single command if [ -z "$1" ] || [ "$1" != "-c" ] then echo You must use ssh -c to access this account exit 1 else shift SSHSLAVE_COMMAND="$@" fi # only let them run specific commands, eg. # ssh -x tomcat-ssh-slave(a)127.0.0.1 cleanlog # ssh -x tomcat-ssh-slave(a)127.0.0.1 getlog # ssh -x tomcat-ssh-slave(a)127.0.0.1 setdbglvl 'INFO' # ssh -x tomcat-ssh-slave(a)127.0.0.1 getdbglvl # ssh -x tomcat-ssh-slave(a)127.0.0.1 tomcat-restart # ssh -x tomcat-ssh-slave(a)127.0.0.1 apache-restart # ssh -x tomcat-ssh-slave(a)127.0.0.1 tomcat-start # ssh -x tomcat-ssh-slave(a)127.0.0.1 apache-start # ssh -x tomcat-ssh-slave(a)127.0.0.1 top # ssh -x tomcat-ssh-slave(a)127.0.0.1 ps # ssh -x tomcat-ssh-slave(a)127.0.0.1 df # ssh -x tomcat-ssh-slave(a)127.0.0.1 free # ssh -x tomcat-ssh-slave(a)127.0.0.1 reboot case ${SSHSLAVE_COMMAND} in cleanlog \ getlog \ getdbglvl \ tomcat-restart \ apache-restart \ tomcat-start \ apache-start \ top \ ps \ df \ free \ reboot \ ) #single argument commands -- exact match to SSHSLAVE_COMMAND exec "/home/tomcat-ssh-slave/${SSHSLAVE_COMMAND}" ;; setdbglvl* \ #e.g., setdbglvl 'INFO' ... multiple argument command. Beware command injection. ) exec `echo "/home/tomcat-ssh-slave/${SSHSLAVE_COMMAND}" | cut -f1 -d" "` `echo "${SSHSLAVE_COMMAND}" | cut -f2- -d" "` ;; * ) exec echo You are not authorized to do that. ;; esac Niels http://nielsmayer.com