Screen has the special ability that allows us to log and connect to running sessions. This becomes handy in our current objective: setting up a central server where all users must connect so they can connect to other servers.
The idea is pretty basic and has lots of advantages:
- No user management for each server
- Users know only one, easily changed password for all servers
- Greater control of user actions
- Monitor unscheduled access
- Log user activity
- Single point of failure
- Single point of entrance
- Can become a pain when transfering files
- SSH Client
- GNU Screen
- User account for each user (limit the user's group using quotas)
- Common user account on each server you wish to connect to (i.e. foo)
# /etc/hosts.allow sshd: 192.168.0.2/255.255.255.0 sshd: 192.168.0.3/255.255.255.0 # /etc/hosts.deny sshd: ALL # /etc/ssh/sshd_config AllowUsers foo admin PermitRootLogin noYour users should be able now to:
- Connect to the screen server using someuser@screenserver
- Connect to your servers only from the new screen server using foo@webserver
Use some screen magic
If you include screen in this whole setup, you'll be able to log user activity in the servers by correctly configuring screen. First, add the following configuration to /etc/screenrc:# Scrolling defscrollback 1500 termcapinfo xterm* ti@:te@ # Detach on close autodetach on # Disable key binds bind H echo "Disabled" # Don't allow the user to disable logging bind d echo "Disabled" # Don't allow to detach bind ^d echo "Disabled" # Don't allow to detach bind c echo "Disabled" # Don't allow to create bind ^c echo "Disabled" # Don't allow to create bind S echo "Disabled" # Don't allow to split bind : echo "Disabled" # Don't allow to issue commands # no startup msg startup_message off # Logging deflog on logtstamp on logfile /tmp/screen-logs/%t-%Y%m%d-%n.log
On each user's home folder, create an empty .screenrc file. This file should be owned by root with read only permits (since you don't want the users to modify it). This way, no user will be able to override the general configuration.
Next, download the manager.sh script and add your servers:
servers=( "foo@bar1" "foo@bar2" "foo@bar3" )
This script allows a user to select a server from the given list and launchs a ssh session inside a screen session:
/usr/bin/screen -S user.bar1 -t user.bar1 /usr/bin/ssh foo@bar1
Since you're controlling and monitoring all the screen sessions, you can easily know what the users are doing on each server by watching the log files: user-20110116-0.log
Well, I hope this is useful for someone else. Leave a comment for any suggestions.
No hay comentarios:
Publicar un comentario