[Machinery] Inspecting remote system: ssh access

Matwey V. Kornilov matwey.kornilov at gmail.com
Thu Jul 23 03:32:17 MDT 2015 

Hello,

I've found that when I do

machinery inspect --verbose -n name -r machinery ip

machinery creates an ssh session for every singe command. On the remote 
side, I see the following (sorry, long log):

Jul 23 09:15:32 linux sshd[24346]: Accepted publickey for machinery from 
192.168.10.232 port 44327 ssh2: RSA 
ad:f5:1f:20:2e:6a:ec:7c:1d:7a:d8:35:71:86:1b:be [MD5]
Jul 23 09:15:32 linux sshd[24346]: pam_unix(sshd:session): session 
opened for user machinery by (uid=0)
Jul 23 09:15:32 linux systemd: pam_unix(systemd-user:session): session 
opened for user machinery by (uid=0)
Jul 23 09:15:32 linux sudo: machinery : TTY=unknown ; 
PWD=/var/lib/machinery ; USER=root ; ENV=LC_ALL=C ; 
COMMAND=/usr/bin/find 
/lib/modules/3.16.7-21-default/kernel/drivers/net/ethernet/neterion/vxge 
-xdev -maxdepth 1 -maxdepth 6 -printf %y\0%P\0%l\0
Jul 23 09:15:32 linux sudo: pam_unix(sudo:session): session opened for 
user root by (uid=0)
Jul 23 09:15:32 linux sudo: pam_unix(sudo:session): session closed for 
user root
Jul 23 09:15:32 linux sshd[24350]: Received disconnect from 
192.168.10.232: 11: disconnected by user
Jul 23 09:15:32 linux sshd[24346]: pam_unix(sshd:session): session 
closed for user machinery
Jul 23 09:15:32 linux systemd: pam_unix(systemd-user:session): session 
closed for user machinery
Jul 23 09:15:33 linux sshd[24381]: Accepted publickey for machinery from 
192.168.10.232 port 44328 ssh2: RSA 
ad:f5:1f:20:2e:6a:ec:7c:1d:7a:d8:35:71:86:1b:be [MD5]
Jul 23 09:15:33 linux sshd[24381]: pam_unix(sshd:session): session 
opened for user machinery by (uid=0)
Jul 23 09:15:33 linux systemd: pam_unix(systemd-user:session): session 
opened for user machinery by (uid=0)
Jul 23 09:15:33 linux sudo: machinery : TTY=unknown ; 
PWD=/var/lib/machinery ; USER=root ; ENV=LC_ALL=C ; 
COMMAND=/usr/bin/find 
/lib/modules/3.16.7-21-default/kernel/drivers/net/can/usb/peak_usb -xdev 
-maxdepth 1 -maxdepth 6 -printf %y\0%P\0%l\0
Jul 23 09:15:33 linux sudo: pam_unix(sudo:session): session opened for 
user root by (uid=0)
Jul 23 09:15:33 linux sudo: pam_unix(sudo:session): session closed for 
user root
Jul 23 09:15:33 linux sshd[24385]: Received disconnect from 
192.168.10.232: 11: disconnected by user
Jul 23 09:15:33 linux sshd[24381]: pam_unix(sshd:session): session 
closed for user machinery
Jul 23 09:15:33 linux systemd: pam_unix(systemd-user:session): session 
closed for user machinery

So, this kind of activity (opening and closing thousands of ssh 
connections) can be mistaken for ssh brute-force or some other kind of 
malicious network activity. And this is an issue, especially if I 
inspect machine using ssh connection through the public network. At the 
specific moment I would be blocked by my network management team.

I don't see limitations to reuse existing ssh connection, are there any?

More information about the Machinery mailing list