I have this script that runs on a central server and uses ssh to
get to remote servers, where it makes automated changes.
The script is called runlab and it will take a script name
as its argument. It scp's the script to the remote machine,
then it logs in to the remote machine and executes the script.
Unfortunately, some of the subnet's in our lab are not universally reachable
via ssh (due to firewall restrictions), so I needed a script that can "hop"
through one or more intermediate servers (bastion hosts) on its way to the destination.
I called the script wssh since I used to use a script with that name
when I worked at Digital Island. I wrote this version of the script
from scratch, so I don't think anyone from DI should be upset about it.
Click here to get the script.
Click here to get a sample config file.
Put the script in /usr/local/bin and the config file in /usr/local/etc
Create a link to the script with the name /usr/local/bin/wscp
$ ln -s /usr/local/bin/wssh /usr/local/bin/wscp
If you put the config file anywhere else, you'll need to update the
script. Because the script works differently depending on its
name, you'll need to keep the names wssh and wscp or update the
script.
Change History
Thu Dec 18 17:05:33 PST 2003 - Implemented ability to hop more than once
Thu Dec 18 23:50:35 PST 2003 - Implemented wscp....
Sat Dec 20 16:53:21 PST 2003 - Be more flexible with the port - maybe choose one randomly
Mon Dec 22 16:00:56 PST 2003 - wssh does pattern matching against names in wssh.conf
Wed Mar 17 12:07:14 PST 2004 - updated to NOT setup a tunnel at all
if no proxy is required. I did this because the default sshd config for
Solaris 9 machines does not allow tunneling
How do I set this up?
Its pretty easy. Here is what you do after copying in the executable and
the conf file:
- This script requires ssh port forwarding to be enabled.
- First, update the conf file to add all the hosts and the
route to get there.
- Second, make sure you can ssh into the bastion/proxy host without
having to specify a password - Actually, this is not a requirement,
but you'll find it confusing if you have to enter passwords. For example,
you will be prompted to enter the password for localhost, but because
that port is forwarded to the destination machine, its actually prompting
you for the password for the remote system.
Also, if you are going to use more than
one hop, and you are using ssh-agent, then you MUST uncomment the AGENTFW
directive in the script. If you don't want to use agent forwarding, then
you will need to use a keypair without a passphrase.
- Lastly, keep in mind that not only must each system in the mix trust
the preceeding server (so that the tunnel can be setup), but also, the
destination system must trust the initiating system.
So, if you are trying to setup:
A -> BH -> C
Then BH must trust A, C must trust BH, and C must trust A
(Thanks to Mateen Fikree for this documentation suggestion)
Still To Do
- Nothing on the list at this point