1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
|
gagmacrowarning(cron argument phrase key passphrase)
includefile(../../release.yo)
htmlbodyopt(text)(#27408B)
htmlbodyopt(bgcolor)(#FFFAF0)
gagmacrowarning(ssh-cron)
mailto(f.b.brokken@rug.nl)
DEFINEMACRO(lsoption)(3)(\
bf(--ARG1)=tt(ARG3) (bf(-ARG2))\
)
DEFINEMACRO(laoption)(2)(\
bf(--ARG1)=tt(ARG2)\
)
DEFINEMACRO(loption)(1)(\
bf(--ARG1)\
)
DEFINEMACRO(soption)(1)(\
bf(-ARG1)\
)
DEFINEMACRO(s)(0)(bf(ssh-cron))
DEFINEMACRO(S)(0)(bf(Ssh-Cron))
DELETEMACRO(tt)
DEFINEMACRO(tt)(1)(em(ARG1))
manpage(ssh-cron)(1)(_CurYrs_)(ssh-cron__CurVers_)
(ssh-cron - ssh-aware cron-like daemon)
manpagename(ssh-cron)(cron-like daemon able to use ssh-connections)
manpagesynopsis()
bf(ssh-cron) [OPTIONS] tt([crontab-file]) nl()
[OPTIONS] - cf. section bf(OPTIONS)nl()
[crontab-file] - file containing jobs to run.nl()
manpagedescription()
Consider the situation where a computer every now and then must access a
remote computer to do some useful things at that remote computer (like running
a bf(stealth)(1) file integrity scan). In order to do so the computer must be
allowed to make bf(ssh)(1) connections to the remote computer. But since the
commands are not executed by the user but by bf(cron)(1), the ssh-keys which
are required to access the remote computer cannot use passphrases.
This is an undesirable situation: if the computer running the tt(ssh) commands
gets compromised, then the remote computers are compromised as well, since the
attacker may access these remote systems using ssh keys not requiring pass
phrases.
S() offers a way out of this undesirable situation, while still allowing
commands to be executed on remote computers. Here's how this is realized:
itemization(
it() Normally, s() runs as a daemon program. When s() starts it first
reads and parses a crontab-like specification file. Following this,
s() spawns a child process, and terminates.
it() S()'s daemon process itself spawns an bf(ssh-agent)(1) child
process, executing all scheduled commands.
it() In addition, s()'s daemon defines communication channels between
itself and its bf(ssh-agent)(1) child process;
it() S()'s daemon sends the command bf(ssh-add)(1) to its child process as
its first command to execute, and using normal user-interaction means
(e.g., using bf(ssh-askpass)(1)) em(ssh-agent) is provided with the
required passphrase(s) for the ssh key(s).
it() S()'s daemon now monitors the time, firing off scheduled commands at
their required moments in time. If these commands require access to
remote computers, then this access is granted, as em(ssh-agent) is able
to provide the passphrase(s).
it() If an s() daemon process is already running, then the tt(--reload)
option (see below), can be used to load the s() daemon with the
commands and environment variable settings from another
tt(crontab-file), replacing the currently stored commands and
environment settings by the ones provided in the reloaded file.
)
When shell control characters (like redirection symbols) must be used in
command specifications, they should be escaped. E.g., as in tt(echo hello
world \> /dev/null).
Users sharing a computer each define their own s() specification file. When a
user logs out and leaves the
system the daemon process continues to run, executing its scheduled commands
at their scheduled times, using ssh-keys whenever required.
If the accounts for which s() jobs are running are ever compromised,
the remote computers remain safe, as the passphrases of the available
ssh-keys remain unavailable.
To prevent unauthorized modifications of the commands scheduled by the s()
daemon themselves a passphrase is required when starting s()'s daemon
process. The passphrase itself is not stored by the daemon (instead, it
stores a bf(sha256)(1) hash value), which avoids access to the s() daemon's
passphrase by browsing the computer's memory. The passphrase must be at least
10 characters long and must be provided when reloading s()
daemon's scheduled commands. The scheduled commands may be listed,
however. This is allowed without providing a passphrase since the file
containing the scheduled commands will usually also be available on the
computer. Likewise, since a user may always terminate his/her own programs an
s() daemon process can be terminated from another s() program using the
tt(--terminate) command line option.
The above mentioned facilities are not supported by bf(crontab)(1) itself.
bf(Cron)(1), which is responsible for executing scheduled crontab commands,
has no access to the passphrases of ssh-keys (which are otherwise provided
em(ssh-agent)).
manpagesection(RETURN VALUE)
S() returns 0 if the daemon was successfully started. Otherwise 1 is
returned.
manpageoptions()
Where available, single letter options are listed between parentheses
following their associated long-option variants. Single letter options require
arguments if their associated long options also require arguments.
Several options have default values. Run tt(ssh-cron --help) for an overview
of the implemented default option values. Also, several options can be
specified in a configuration file (where this doesn't hold true, it is
explicitly mentioned at the relevant options).
The configuration file (not to be confused with the file containing the
scheduled commands, which is provided as s() command-line file argument)
ignores empty lines and all information on lines starting at a hash-mark
(tt(#), optionally preceded by blanks and/or tabs). The configuration file is
used to specify s()'s options using their long variants. However, in the
configuration file the initial hyphens of command-line options must be
omitted, and optionally a colon may be appended to these long options
names. Note that multi-word option arguments should not be surrounded by
quotes. Examples:
verb(
stdout
syslog-facility: LOCAL0
mailer: /usr/bin/mail -s "some subject" me@myhost.warpnet.nl
)
Command-line options always override configuration file options.
itemization(
it() laoption(agent)(agent)nl()
absolute path to the agent program (plus its argument(s)) providing the
ssh-keys.
By default tt(/usr/bin/ssh-agent /bin/bash) is used.
it() lsoption(config)(c)(path)nl()
config file containing long option specifications.
By default tt(~/.ssh-cron) is used.
This option cannot be specified in the configuration file.
it() loption(forced) (soption(f))nl()
When restarting s() and an existing (leftover) ipc-file file
exists, then the user is interactively given the opportunity to remove
the existing ipc-file during daemon-startup.
it() loption(help) (soption(h))nl()
basic usage information is written to the standard output
stream (only interpreted in combination with tt(--no-daemon)).
This option cannot be specified in the configuration file.
it() lsoption(ipc-file)(p)(path)nl()
when s() runs as a daemon, then tt(path) specifies the path of the file
holding the daemon's shared memory ID and process ID. The ipc file
must be available if s() is connecting to or starting a daemon process
(the former situation occurs with the options tt(--list, --reload),
and tt(--terminate)). If s() detects an existing tt(ipc-file) at
daemon startup and the option tt(--forced) was not specified, then the
user is interactively given the opportunity to remove the existing
file. If the existing ipc-file can or should not be removed, then the
daemon is not started. To end a daemon process use tt(ssh-cron
--terminate), or send a SIGINT (tt(ctrl-C)) or SIGTERM signal to the
process-id found as the second value in the tt(ipc-file).
By default tt(~/.ssh-cron.ipc) is used.
it() loption(list) (soption(l))nl()
list the currently defined environment settings and cron-commands (the
tt(crontab-file) argument must be omitted). This option is
incompatible with (--no-daemon, --reload,) and tt(--terminate).
This option cannot be specified in the configuration file.
it() lsoption(log)(L)(path)nl()
log messages are appended to tt(path). If tt(path) does not exist, it
is created first.
it() lsoption(mailer)(m)(command)nl()
information written to the standard output or standard error streams of
the commands executed by s() is sent by e-mail to the current
user. Use tt(--mailer) to redefine (or to suppress sending e-mail by
specifying an empty mailer command (i.e., tt(--mailer ""))).
By default tt(/usr/bin/mail -s \"Ssh-cron $*\" $USER@localhost) is
used, with tt($*) replaced by the exected command as specified in the
tt(crontab) file argument.
it() loption(no-daemon) nl()
s() is not run as a daemon. To properly end s() if not running as a
daemon, press the `Enter' key, enter tt(ctrl-C) or send s() a
tt(SIGTERM) signal. This option is incompatible with ( --list,
--reload,) and tt(--terminate).
This option cannot be specified in the configuration file.
it() loption(reload) (soption(r))nl()
reload the s() daemon with de cron-commands defined in the
tt(crontab-file) argument (which must be provided). This option is
incompatible with (--list, --no-daemon,) and tt(--terminate).
This option cannot be specified in the configuration file.
it() loption(stdout) (soption(s))nl()
in addition to using a log file and syslog messages send all messages
to the standard output. This option is not available if s() runs as a
daemon process.
This option cannot be specified in the configuration file.
it() loption(syslog)nl()
messages are sent to the syslog daemon when this option is specified.
By default syslog messages are written to the tt(DAEMON) facility with
priority tt(NOTICE).
it() laoption(syslog-facility)(facility)nl()
the facility that is used to write the syslog messages to. By default
this is tt(DAEMON). For an overview of facilities and their meanings,
see, e.g., bf(syslog)(3). With s() the facilities tt(DAEMON,
LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7), and
tt(USER) can be used.
By default facility tt(DAEMON) is used.
it() laoption(syslog-priority)(priority)nl()
the priority that is used to write the syslog messages to. By default
this is tt(NOTICE). For an overview of priorities and their meanings,
see, e.g., bf(syslog)(3). With s() all defined priorities can
be used. E.g., tt( EMERG, ALERT, CRIT, ERR, WARNING, NOTICE, INFO) and
tt(DEBUG).
By default priority tt(NOTICE) is used.
it() laoption(syslog-tag)(tag)nl()
syslog messages can be provided with a em(tag), which can be used to
filter them from the log-files. See also section tt(RSYSLOG
FILTERING) below.
By default the tag tt(SSH-CRON) is used.
it() loption(terminate) (soption(t))nl()
terminate a running s() daemon program, using the daemon's process ID
found in the ipc-file's second value. The tt(crontab-file) argument
must be omitted. This option is incompatible tt with (--list,
--nodaemon,) and tt(--reload)
.
This option cannot be specified in the configuration file.
it() loption(verbose)nl()
additional messages about s()'s mode of operation are sent to
s()'s log facilities (specified by tt(--log, --syslog,) and/or
tt(--stdout)).
it() loption(version) (soption(v))nl()
s()'s version number is written to the standard output stream.
This option cannot be specified in the configuration file.
)
manpagesection(RSYSLOG FILTERING)
When using bf(rsyslogd)(1) property based filters may be used to filter
syslog messages and write them to a file of your choice. E.g., to filter
messages starting with the syslog message tag (e.g., tt(SSH-CRON)) use
verb(
:syslogtag, isequal, "SSH-CRON:" /var/log/ssh-cron.log
:syslogtag, isequal, "SSH-CRON:" stop
)
Note that the colon is part of the tag, but is not specified with the
tt(syslog-tag) option.
This causes all messages having the tt(SSH-CRON:) tag to be written on
tt(/var/log/ssh-cron.log) after which they are discarded. More extensive
filtering is also supported, see, e.g.,
tt(http://www.rsyslog.com/doc/rsyslog_conf_filter.html) and
tt(http://www.rsyslog.com/doc/property_replacer.html)
manpageseealso()
bf(cron)(1), bf(crontab)(1), bf(crontab)(5), , bf(rsyslogd)(1), bf(ssh)(1),
bf(ssh-add)(1), bf(ssh-agent)(1), bf(ssh-askpass)(1), bf(stealth)(1),
bf(syslog)(3)
manpagebugs()
None reported.
manpagesection(COPYRIGHT)
This is free software, distributed under the terms of the `GNU General
Public License'. Copyright remains with the author. s() is available at
tt(https://fbb-git.gitlab.io/ssh-cron/).
manpagesection(ORGANIZATION)
Center for Information Technology, University of Groningen.
manpageauthor()
Frank B. Brokken (bf(f.b.brokken@rug.nl)).
|
