Scripting SSH Connections to Extract Info from Output
-
@scottalanmiller said:
That might work. I'm not very expert with expect. Although what are the chances that expect is installed?
I typed "expect" into the CLI and got this:
expect1.1>So I assume it is.
-
@handsofqwerty said:
....but there are literally over 1000 devices between two of this company's stores, and they'd have to setup keys for over a dozen people to each device. Is there any easy or feasible way to do that.
More importantly, is there any feasible way not to? What could be better than having the right keys? If you have password access to the devices already, it would take almost no effort to deploy keys and lock down the shared passwords.
The more devices you have and the more people with access to them, the more important it is to be secure and to know who is doing what.
-
@handsofqwerty said:
@scottalanmiller said:
That might work. I'm not very expert with expect. Although what are the chances that expect is installed?
I typed "expect" into the CLI and got this:
expect1.1>So I assume it is.
Looks that way!
-
I know I'm a bit late to this conversation, but I think Ansible would quite possibly be a good candidate for this task. You could add your list of IPs to Ansible's host config file under a specified group and use Ansible's CLI to run a single command against every host in that group simultaneously or at a specified interval.
Ansible uses SSH for pretty much everything it does, so if the credentials are the same for all hosts I believe it will cache them and use them with each host without prompting multiple times. Just another avenue to consider.
-
@RamblingBiped said:
I know I'm a bit late to this conversation, but I think Ansible would quite possibly be a good candidate for this task. You could add your list of IPs to Ansible's host config file under a specified group and use Ansible's CLI to run a single command against every host in that group simultaneously or at a specified interval.
Ansible uses SSH for pretty much everything it does, so if the credentials are the same for all hosts I believe it will cache them and use them with each host without prompting multiple times. Just another avenue to consider.
I think normally you would just manually add a key for Ansible or build that into the image.
-
@scottalanmiller Yeah, that would be the ideal situation. Since that isn't an option though, he could easily override the default key-based auth and just use password authentication by adding the "--ask-pass" option to the manual command entry. If it fit the bill he could go a bit further and completely automate it by building a task/playbook.
I've been trying to incorporate Ansible into some of my routine tasks and really like it so far. I can definitely see it being a huge time saver for us in the future as we grow.
-
I want to play around with Ansible. I use Chef daily now and was using cfEngine all year last year. Did not like cfEngine. Chef is quirky and complex but does the trick better than cfEngine. Would love lots of free time to play with Puppet and Ansible to compare.
Are you using Tower or the free open source Ansible?
-
I'm using the free open source version. They have good documentation and it seems to have a lot lower of a learning curve when compared to Chef/Puppet. It's really quick to install and get up and running. Using YAML for config files and Jinja2 for manipulating variables via templating seems to be something that isn't going to be too tough to pick up either.
-
Cool, what are you running it on, CentOS? Is there any GUI when using the free version? That's what you lose with Chef.
-
I'm running it off of my Ubuntu 14.04 Desktop system. No GUI that I know of with the free version of Ansible, though I don't really see that as much of a downside.
-
@RamblingBiped During my search on Ansible tower alternative, found a reddit link mentioning about http://rundeck.org/
I am still at the very early stage, but you might be able to check it and see if this suits as an alternative to tower and https://github.com/ansible-semaphore/semaphore also looks like an alternative
-
I'm also quite late, but would it be appropriate to keep passwords in files with root permissions and have the script read it? Or is that just as insecure?
-
@johnhooks said:
I'm also quite late, but would it be appropriate to keep passwords in files with root permissions and have the script read it? Or is that just as insecure?
At some point, passwords need to exist. In most cases, you want to use keys, though. Where do you need passwords?
-
@scottalanmiller said:
@johnhooks said:
I'm also quite late, but would it be appropriate to keep passwords in files with root permissions and have the script read it? Or is that just as insecure?
At some point, passwords need to exist. In most cases, you want to use keys, though. Where do you need passwords?
I was just asking if that would be a solution to the original problem while still being secure since he couldn't use keys.
-
@johnhooks said:
@scottalanmiller said:
@johnhooks said:
I'm also quite late, but would it be appropriate to keep passwords in files with root permissions and have the script read it? Or is that just as insecure?
At some point, passwords need to exist. In most cases, you want to use keys, though. Where do you need passwords?
I was just asking if that would be a solution to the original problem while still being secure since he couldn't use keys.
Oh, in that case, they aren't concerned about security or they'd have keys. So being really secure isn't on their radar
