[Machinery] Inspecting remote system: ssh access

Thomas Goettlicher tgoettlicher at suse.de
Thu Oct 8 08:15:38 MDT 2015 

On 10/08/2015 03:40 PM, Matwey V. Kornilov wrote:
> 23.07.2015 16:05, Thomas Goettlicher пишет:
>>
>>
>> On 07/23/2015 11:32 AM, Matwey V. Kornilov wrote:
>>> Hello,
>>>
>>> I've found that when I do
>>>
>>> machinery inspect --verbose -n name -r machinery ip
>>>
>>> machinery creates an ssh session for every singe command. On the
>>> remote side, I see the following (sorry, long log):
>>>
>>> Jul 23 09:15:32 linux sshd[24346]: Accepted publickey for machinery
>>> from 192.168.10.232 port 44327 ssh2: RSA
>>> ad:f5:1f:20:2e:6a:ec:7c:1d:7a:d8:35:71:86:1b:be [MD5]
>>> Jul 23 09:15:32 linux sshd[24346]: pam_unix(sshd:session): session
>>> opened for user machinery by (uid=0)
>>> Jul 23 09:15:32 linux systemd: pam_unix(systemd-user:session): session
>>> opened for user machinery by (uid=0)
>>> Jul 23 09:15:32 linux sudo: machinery : TTY=unknown ;
>>> PWD=/var/lib/machinery ; USER=root ; ENV=LC_ALL=C ;
>>> COMMAND=/usr/bin/find
>>> /lib/modules/3.16.7-21-default/kernel/drivers/net/ethernet/neterion/vxge 
>>>
>>> -xdev -maxdepth 1 -maxdepth 6 -printf %y\0%P\0%l\0
>>> Jul 23 09:15:32 linux sudo: pam_unix(sudo:session): session opened for
>>> user root by (uid=0)
>>> Jul 23 09:15:32 linux sudo: pam_unix(sudo:session): session closed for
>>> user root
>>> Jul 23 09:15:32 linux sshd[24350]: Received disconnect from
>>> 192.168.10.232: 11: disconnected by user
>>> Jul 23 09:15:32 linux sshd[24346]: pam_unix(sshd:session): session
>>> closed for user machinery
>>> Jul 23 09:15:32 linux systemd: pam_unix(systemd-user:session): session
>>> closed for user machinery
>>> Jul 23 09:15:33 linux sshd[24381]: Accepted publickey for machinery
>>> from 192.168.10.232 port 44328 ssh2: RSA
>>> ad:f5:1f:20:2e:6a:ec:7c:1d:7a:d8:35:71:86:1b:be [MD5]
>>> Jul 23 09:15:33 linux sshd[24381]: pam_unix(sshd:session): session
>>> opened for user machinery by (uid=0)
>>> Jul 23 09:15:33 linux systemd: pam_unix(systemd-user:session): session
>>> opened for user machinery by (uid=0)
>>> Jul 23 09:15:33 linux sudo: machinery : TTY=unknown ;
>>> PWD=/var/lib/machinery ; USER=root ; ENV=LC_ALL=C ;
>>> COMMAND=/usr/bin/find
>>> /lib/modules/3.16.7-21-default/kernel/drivers/net/can/usb/peak_usb
>>> -xdev -maxdepth 1 -maxdepth 6 -printf %y\0%P\0%l\0
>>> Jul 23 09:15:33 linux sudo: pam_unix(sudo:session): session opened for
>>> user root by (uid=0)
>>> Jul 23 09:15:33 linux sudo: pam_unix(sudo:session): session closed for
>>> user root
>>> Jul 23 09:15:33 linux sshd[24385]: Received disconnect from
>>> 192.168.10.232: 11: disconnected by user
>>> Jul 23 09:15:33 linux sshd[24381]: pam_unix(sshd:session): session
>>> closed for user machinery
>>> Jul 23 09:15:33 linux systemd: pam_unix(systemd-user:session): session
>>> closed for user machinery
>>>
>>> So, this kind of activity (opening and closing thousands of ssh
>>> connections) can be mistaken for ssh brute-force or some other kind of
>>> malicious network activity. And this is an issue, especially if I
>>> inspect machine using ssh connection through the public network. At
>>> the specific moment I would be blocked by my network management team.
>>>
>>> I don't see limitations to reuse existing ssh connection, are there 
>>> any?
>> Thanks for your feedback.
>>
>> Machinery opens multiple connections because of its current design:
>> Machinery runs a standard linux command on the remote host and processes
>> the command's output. Depending on the result it runs the next command
>> on the remote host. That happens again and again. This leads to multiple
>> ssh connections.
>>
>> Let us evaluate what we can do about it.
>
> At least SSH multiplexing with ControlMaster ControlPersist can be 
> used. This will reduce number of TCP/IP connections. It could be a 
> partial solution.

Good point.

Reusing the ssh connection requires at least version 4 of openssh on the 
server.

One can make use of this ssh feature as follows for now:

1. $ ssh -o ControlMaster=auto -o ControlPath=~/.ssh/socket%r@%h-%p -o 
ControlPersist=600 root at host
2. enter password
3. log-out
4. $ machinery inspect host

>
>>
>> Cheers,
>> Thomas
>>
>>>
>>>
>>> _______________________________________________
>>> Machinery mailing list
>>> Machinery at lists.suse.com
>>> http://lists.suse.com/mailman/listinfo/machinery
>>
>
>
> _______________________________________________
> Machinery mailing list
> Machinery at lists.suse.com
> http://lists.suse.com/mailman/listinfo/machinery

-- 
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)
Maxfeldstraße 5
90409 Nürnberg
Germany

More information about the Machinery mailing list