3 security configuration, 1 remote shell security setup, 2 ssh security setup – HP Linux Server Management Software User Manual

ckill

ckill

allows the administrator to signal a process by name since the pid of a specific

process will vary across a set of systems or the members of a cluster.

cuptime

cuptime

displays the uptime statistics for a set of systems or a cluster.

cwall

cwall

displays a wall(1) broadcast message on multiple hosts.

All the wrappers support the CFANOUT_HOSTS environment variable when not executing in
a Serviceguard cluster. The environment variable specifies a file containing the list of hosts to
target, one hostname per line. This will be used if no other host specifications are present on the
command line. When no target nodelist command line options are used and CFANOUT_HOSTS
is undefined, the command will be executed on the local host.

For more information on these commands, refer to their reference manpages.

4.3 Security Configuration

The command fanout tools support both remote shell (rsh or rcmd) and ssh transports. Each
requires specific security setup steps in order to authorize the user initiating the command fanout
operation to execute a command on the remote target systems. The command fanout tools require
that the remote system not prompt for a password. Both rsh and ssh transports must be
preconfigured on each remote system to allow non-interactive access. The following sections
describe the required setup steps to enable command fanout operations for each transport.

4.3.1 Remote Shell Security Setup

When using the remote shell command transport, the local user must have a $HOME/.rhosts
file configured on each remote target system. Refer to the rhosts(4) reference manpage for details
on configuring the $HOME/.rhosts file.

4.3.2 ssh Security Setup

ssh

uses public host keys to authenticate remote hosts and supports public key authentication

to authenticate users. When users’ public keys are properly configured on a set of remote systems,
they can access those systems without being prompted for a password. Manually configuring
ssh

for non-interactive access is a multistep process where ssh configuration files are edited on

each system. The csshsetup tool greatly simplifies configuring ssh trust relationships. For
example, when using the command fanout tools in a Serviceguard cluster, you typically want
to be able to issue commands from any member and target any other member. This requires an
n^2 distribution of ssh public keys. Start by creating a text file listing the members the cluster,
one per line. Invoke csshsetup using this file. Note that this command needs to be issued only
once since it configures each member of the cluster:

# csshsetup -r -f members_list.txt

The -r option instructs csshsetup to distribute the keys in a round-robin or n^2 fashion. The
user will be prompted for his password on each remote host. csshsetup then automates the
entire public key distribution process.

Note that csshsetup is not specific to Serviceguard clusters; it can be used for arbitrary groups
of systems. Also, the trust relationship does not have to be bidirectional. Omit the -r option
when setting up a one-way trust relationship between the current host and a set of remote target
hosts. For additional details, refer to the csshsetup(1) reference manpage.

4.3.3 Security Notes

The remote shell protocol is an inherently insecure protocol. It is the protocol used by the Berkeley
“r commands,” rlogin, rcp, remsh, and so on. Many system administrators disable the use of
the “r” commands as a matter of policy. For example, the Bastille security hardening tool offers
a default option to disable these insecure services. If disabled, the pdsh -R rsh option to use
the remote shell transport will not work.

4.3 Security Configuration

85