[Machinery] Inspecting remote system: ssh access

Matwey V. Kornilov matwey.kornilov at gmail.com
Thu Oct 8 07:40:20 MDT 2015 

23.07.2015 16:05, Thomas Goettlicher пишет:
>
>
> On 07/23/2015 11:32 AM, Matwey V. Kornilov wrote:
>> Hello,
>>
>> I've found that when I do
>>
>> machinery inspect --verbose -n name -r machinery ip
>>
>> machinery creates an ssh session for every singe command. On the
>> remote side, I see the following (sorry, long log):
>>
>> Jul 23 09:15:32 linux sshd[24346]: Accepted publickey for machinery
>> from 192.168.10.232 port 44327 ssh2: RSA
>> ad:f5:1f:20:2e:6a:ec:7c:1d:7a:d8:35:71:86:1b:be [MD5]
>> Jul 23 09:15:32 linux sshd[24346]: pam_unix(sshd:session): session
>> opened for user machinery by (uid=0)
>> Jul 23 09:15:32 linux systemd: pam_unix(systemd-user:session): session
>> opened for user machinery by (uid=0)
>> Jul 23 09:15:32 linux sudo: machinery : TTY=unknown ;
>> PWD=/var/lib/machinery ; USER=root ; ENV=LC_ALL=C ;
>> COMMAND=/usr/bin/find
>> /lib/modules/3.16.7-21-default/kernel/drivers/net/ethernet/neterion/vxge
>> -xdev -maxdepth 1 -maxdepth 6 -printf %y\0%P\0%l\0
>> Jul 23 09:15:32 linux sudo: pam_unix(sudo:session): session opened for
>> user root by (uid=0)
>> Jul 23 09:15:32 linux sudo: pam_unix(sudo:session): session closed for
>> user root
>> Jul 23 09:15:32 linux sshd[24350]: Received disconnect from
>> 192.168.10.232: 11: disconnected by user
>> Jul 23 09:15:32 linux sshd[24346]: pam_unix(sshd:session): session
>> closed for user machinery
>> Jul 23 09:15:32 linux systemd: pam_unix(systemd-user:session): session
>> closed for user machinery
>> Jul 23 09:15:33 linux sshd[24381]: Accepted publickey for machinery
>> from 192.168.10.232 port 44328 ssh2: RSA
>> ad:f5:1f:20:2e:6a:ec:7c:1d:7a:d8:35:71:86:1b:be [MD5]
>> Jul 23 09:15:33 linux sshd[24381]: pam_unix(sshd:session): session
>> opened for user machinery by (uid=0)
>> Jul 23 09:15:33 linux systemd: pam_unix(systemd-user:session): session
>> opened for user machinery by (uid=0)
>> Jul 23 09:15:33 linux sudo: machinery : TTY=unknown ;
>> PWD=/var/lib/machinery ; USER=root ; ENV=LC_ALL=C ;
>> COMMAND=/usr/bin/find
>> /lib/modules/3.16.7-21-default/kernel/drivers/net/can/usb/peak_usb
>> -xdev -maxdepth 1 -maxdepth 6 -printf %y\0%P\0%l\0
>> Jul 23 09:15:33 linux sudo: pam_unix(sudo:session): session opened for
>> user root by (uid=0)
>> Jul 23 09:15:33 linux sudo: pam_unix(sudo:session): session closed for
>> user root
>> Jul 23 09:15:33 linux sshd[24385]: Received disconnect from
>> 192.168.10.232: 11: disconnected by user
>> Jul 23 09:15:33 linux sshd[24381]: pam_unix(sshd:session): session
>> closed for user machinery
>> Jul 23 09:15:33 linux systemd: pam_unix(systemd-user:session): session
>> closed for user machinery
>>
>> So, this kind of activity (opening and closing thousands of ssh
>> connections) can be mistaken for ssh brute-force or some other kind of
>> malicious network activity. And this is an issue, especially if I
>> inspect machine using ssh connection through the public network. At
>> the specific moment I would be blocked by my network management team.
>>
>> I don't see limitations to reuse existing ssh connection, are there any?
> Thanks for your feedback.
>
> Machinery opens multiple connections because of its current design:
> Machinery runs a standard linux command on the remote host and processes
> the command's output. Depending on the result it runs the next command
> on the remote host. That happens again and again. This leads to multiple
> ssh connections.
>
> Let us evaluate what we can do about it.

At least SSH multiplexing with ControlMaster ControlPersist can be used. 
This will reduce number of TCP/IP connections. It could be a partial 
solution.

>
> Cheers,
> Thomas
>
>>
>>
>> _______________________________________________
>> Machinery mailing list
>> Machinery at lists.suse.com
>> http://lists.suse.com/mailman/listinfo/machinery
>

More information about the Machinery mailing list