Central GNU Screen/SSH Server

I'm not going to explain why screen is such a great tool because it's and there are many blogs who will tell you so. What I'm going to explain is how you can use screen to setup a central server to manage and monitor who connects to your servers and what do they do.
Screen has the special ability that allows us to log and connect to running sessions. This becomes handy in our current objective: setting up a central server where all users must connect so they can connect to other servers.
The idea is pretty basic and has lots of advantages:

  • No user management for each server
  • Users know only one, easily changed password for all servers
  • Greater control of user actions
  • Monitor unscheduled access
  • Log user activity
Of course, there are some disadvantages:

  • Single point of failure
  • Single point of entrance
  • Can become a pain when transfering files
First, we need to setup a single server with the following:

  1. SSH Client
  2. GNU Screen
  3. User account for each user (limit the user's group using quotas)
  4. Common user account on each server you wish to connect to (i.e. foo)
You have your screen server, and on each server you have a user (i.e. foo) with the same password (i.e. bar123). Now secure you SSH configuration by allowing access only from the screen server to the foo user (and admin just in case):
# /etc/hosts.allow
# /etc/hosts.deny
sshd: ALL
# /etc/ssh/sshd_config
AllowUsers foo admin
PermitRootLogin no
Your users should be able now to:

  1. Connect to the screen server using someuser@screenserver
  2. Connect to your servers only from the new screen server using foo@webserver

Use some screen magic

If you include screen in this whole setup, you'll be able to log user activity in the servers by correctly configuring screen. First, add the following configuration to /etc/screenrc:

# Scrolling
defscrollback 1500
termcapinfo xterm* ti@:te@

# Detach on close
autodetach on

# Disable key binds
bind H echo "Disabled" # Don't allow the user to disable logging
bind d echo "Disabled" # Don't allow to detach
bind ^d echo "Disabled" # Don't allow to detach
bind c echo "Disabled" # Don't allow to create
bind ^c echo "Disabled" # Don't allow to create
bind S echo "Disabled" # Don't allow to split
bind : echo "Disabled" # Don't allow to issue commands

# no startup msg
startup_message off

# Logging
deflog on
logtstamp on
logfile /tmp/screen-logs/%t-%Y%m%d-%n.log

On each user's home folder, create an empty .screenrc file. This file should be owned by root with read only permits (since you don't want the users to modify it). This way, no user will be able to override the general configuration.

Next, download the manager.sh script and add your servers:


This script allows a user to select a server from the given list and launchs a ssh session inside a screen session:
 /usr/bin/screen -S user.bar1 -t user.bar1 /usr/bin/ssh foo@bar1 

Since you're controlling and monitoring all the screen sessions, you can easily know what the users are doing on each server by watching the log files: user-20110116-0.log

Well, I hope this is useful for someone else. Leave a comment for any suggestions.

No hay comentarios:

Publicar un comentario