[Machinery] Inspecting remote system: ssh access
Matwey V. Kornilov
matwey.kornilov at gmail.com
Thu Jul 23 03:32:17 MDT 2015
Hello,
I've found that when I do
machinery inspect --verbose -n name -r machinery ip
machinery creates an ssh session for every singe command. On the remote
side, I see the following (sorry, long log):
Jul 23 09:15:32 linux sshd[24346]: Accepted publickey for machinery from
192.168.10.232 port 44327 ssh2: RSA
ad:f5:1f:20:2e:6a:ec:7c:1d:7a:d8:35:71:86:1b:be [MD5]
Jul 23 09:15:32 linux sshd[24346]: pam_unix(sshd:session): session
opened for user machinery by (uid=0)
Jul 23 09:15:32 linux systemd: pam_unix(systemd-user:session): session
opened for user machinery by (uid=0)
Jul 23 09:15:32 linux sudo: machinery : TTY=unknown ;
PWD=/var/lib/machinery ; USER=root ; ENV=LC_ALL=C ;
COMMAND=/usr/bin/find
/lib/modules/3.16.7-21-default/kernel/drivers/net/ethernet/neterion/vxge
-xdev -maxdepth 1 -maxdepth 6 -printf %y\0%P\0%l\0
Jul 23 09:15:32 linux sudo: pam_unix(sudo:session): session opened for
user root by (uid=0)
Jul 23 09:15:32 linux sudo: pam_unix(sudo:session): session closed for
user root
Jul 23 09:15:32 linux sshd[24350]: Received disconnect from
192.168.10.232: 11: disconnected by user
Jul 23 09:15:32 linux sshd[24346]: pam_unix(sshd:session): session
closed for user machinery
Jul 23 09:15:32 linux systemd: pam_unix(systemd-user:session): session
closed for user machinery
Jul 23 09:15:33 linux sshd[24381]: Accepted publickey for machinery from
192.168.10.232 port 44328 ssh2: RSA
ad:f5:1f:20:2e:6a:ec:7c:1d:7a:d8:35:71:86:1b:be [MD5]
Jul 23 09:15:33 linux sshd[24381]: pam_unix(sshd:session): session
opened for user machinery by (uid=0)
Jul 23 09:15:33 linux systemd: pam_unix(systemd-user:session): session
opened for user machinery by (uid=0)
Jul 23 09:15:33 linux sudo: machinery : TTY=unknown ;
PWD=/var/lib/machinery ; USER=root ; ENV=LC_ALL=C ;
COMMAND=/usr/bin/find
/lib/modules/3.16.7-21-default/kernel/drivers/net/can/usb/peak_usb -xdev
-maxdepth 1 -maxdepth 6 -printf %y\0%P\0%l\0
Jul 23 09:15:33 linux sudo: pam_unix(sudo:session): session opened for
user root by (uid=0)
Jul 23 09:15:33 linux sudo: pam_unix(sudo:session): session closed for
user root
Jul 23 09:15:33 linux sshd[24385]: Received disconnect from
192.168.10.232: 11: disconnected by user
Jul 23 09:15:33 linux sshd[24381]: pam_unix(sshd:session): session
closed for user machinery
Jul 23 09:15:33 linux systemd: pam_unix(systemd-user:session): session
closed for user machinery
So, this kind of activity (opening and closing thousands of ssh
connections) can be mistaken for ssh brute-force or some other kind of
malicious network activity. And this is an issue, especially if I
inspect machine using ssh connection through the public network. At the
specific moment I would be blocked by my network management team.
I don't see limitations to reuse existing ssh connection, are there any?
More information about the Machinery
mailing list