[Machinery] Inspecting remote system: ssh access

Thomas Goettlicher tgoettlicher at suse.de
Thu Jul 23 07:05:43 MDT 2015 


On 07/23/2015 11:32 AM, Matwey V. Kornilov wrote:
> Hello,
>
> I've found that when I do
>
> machinery inspect --verbose -n name -r machinery ip
>
> machinery creates an ssh session for every singe command. On the 
> remote side, I see the following (sorry, long log):
>
> Jul 23 09:15:32 linux sshd[24346]: Accepted publickey for machinery 
> from 192.168.10.232 port 44327 ssh2: RSA 
> ad:f5:1f:20:2e:6a:ec:7c:1d:7a:d8:35:71:86:1b:be [MD5]
> Jul 23 09:15:32 linux sshd[24346]: pam_unix(sshd:session): session 
> opened for user machinery by (uid=0)
> Jul 23 09:15:32 linux systemd: pam_unix(systemd-user:session): session 
> opened for user machinery by (uid=0)
> Jul 23 09:15:32 linux sudo: machinery : TTY=unknown ; 
> PWD=/var/lib/machinery ; USER=root ; ENV=LC_ALL=C ; 
> COMMAND=/usr/bin/find 
> /lib/modules/3.16.7-21-default/kernel/drivers/net/ethernet/neterion/vxge 
> -xdev -maxdepth 1 -maxdepth 6 -printf %y\0%P\0%l\0
> Jul 23 09:15:32 linux sudo: pam_unix(sudo:session): session opened for 
> user root by (uid=0)
> Jul 23 09:15:32 linux sudo: pam_unix(sudo:session): session closed for 
> user root
> Jul 23 09:15:32 linux sshd[24350]: Received disconnect from 
> 192.168.10.232: 11: disconnected by user
> Jul 23 09:15:32 linux sshd[24346]: pam_unix(sshd:session): session 
> closed for user machinery
> Jul 23 09:15:32 linux systemd: pam_unix(systemd-user:session): session 
> closed for user machinery
> Jul 23 09:15:33 linux sshd[24381]: Accepted publickey for machinery 
> from 192.168.10.232 port 44328 ssh2: RSA 
> ad:f5:1f:20:2e:6a:ec:7c:1d:7a:d8:35:71:86:1b:be [MD5]
> Jul 23 09:15:33 linux sshd[24381]: pam_unix(sshd:session): session 
> opened for user machinery by (uid=0)
> Jul 23 09:15:33 linux systemd: pam_unix(systemd-user:session): session 
> opened for user machinery by (uid=0)
> Jul 23 09:15:33 linux sudo: machinery : TTY=unknown ; 
> PWD=/var/lib/machinery ; USER=root ; ENV=LC_ALL=C ; 
> COMMAND=/usr/bin/find 
> /lib/modules/3.16.7-21-default/kernel/drivers/net/can/usb/peak_usb 
> -xdev -maxdepth 1 -maxdepth 6 -printf %y\0%P\0%l\0
> Jul 23 09:15:33 linux sudo: pam_unix(sudo:session): session opened for 
> user root by (uid=0)
> Jul 23 09:15:33 linux sudo: pam_unix(sudo:session): session closed for 
> user root
> Jul 23 09:15:33 linux sshd[24385]: Received disconnect from 
> 192.168.10.232: 11: disconnected by user
> Jul 23 09:15:33 linux sshd[24381]: pam_unix(sshd:session): session 
> closed for user machinery
> Jul 23 09:15:33 linux systemd: pam_unix(systemd-user:session): session 
> closed for user machinery
>
> So, this kind of activity (opening and closing thousands of ssh 
> connections) can be mistaken for ssh brute-force or some other kind of 
> malicious network activity. And this is an issue, especially if I 
> inspect machine using ssh connection through the public network. At 
> the specific moment I would be blocked by my network management team.
>
> I don't see limitations to reuse existing ssh connection, are there any?
Thanks for your feedback.

Machinery opens multiple connections because of its current design:
Machinery runs a standard linux command on the remote host and processes 
the command's output. Depending on the result it runs the next command 
on the remote host. That happens again and again. This leads to multiple 
ssh connections.

Let us evaluate what we can do about it.

Cheers,
Thomas

>
>
> _______________________________________________
> Machinery mailing list
> Machinery at lists.suse.com
> http://lists.suse.com/mailman/listinfo/machinery

-- 
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Dilip Upmanyu, Graham Norton, HRB 21284 (AG Nürnberg)
Maxfeldstraße 5
90409 Nürnberg
Germany

More information about the Machinery mailing list