Difference between revisions of "SSH"

From HSYCO
Jump to navigation Jump to search
 
(20 intermediate revisions by the same user not shown)
Line 27: Line 27:
 
at the end of the /etc/sudoers file (use the visudo command to edit the /etc/sudoers file).
 
at the end of the /etc/sudoers file (use the visudo command to edit the /etc/sudoers file).
  
{{tip|If the username and password are correct, but the remote server refuses the authentication (you will see a "Password authentication failed." message in the logs and the I/O Server will keep restarting), the most probable cause is that the remore SSH server is configured to refuse the "keyboard-interactive" or "password" authentication type. To make it work, you should change the remote server's configuration to enable either keyboard-interactive or password authentication.}}
+
{{tip|If the username and password are correct, but the remote server refuses the authentication (you will see a "Password authentication failed." message in the logs and the I/O Server will keep restarting), the most probable cause is that the remote SSH server is configured to refuse the "keyboard-interactive" or "password" authentication type. To make it work, you should change the remote server's configuration to enable either keyboard-interactive or password authentication.}}
  
 
== HSYCO Configuration ==
 
== HSYCO Configuration ==
 
Add an SSH I/O Server in the [[Settings#I/O Servers|I/O Servers section of the Settings]] and set its parameters:
 
Add an SSH I/O Server in the [[Settings#I/O Servers|I/O Servers section of the Settings]] and set its parameters:
 +
 +
{{note|Note that the SSH I/O Server doesn't count in the I/O servers license total, so you don't need an extra I/O Server license to use SSH with HSYCO.}}
  
 
=== Communication ===
 
=== Communication ===
Line 37: Line 39:
  
 
=== Authentication ===
 
=== Authentication ===
*'''User''': username to use on the remote device
+
*'''User''': username for authentication on the remote device
*'''Password''': password for the used username
+
*'''Password''': password. A PEM file name (containing a private key) can be used instead of password for public-key authentication
  
 
=== High Availability ===
 
=== High Availability ===
Line 52: Line 54:
  
 
|-
 
|-
|rowspan="2"|stdout
+
|rowspan="3"|stdout
|rowspan="2"|true
+
|rowspan="3"|true
 
|true
 
|true
 
|when a remote command is executed, generate IO events containing the command's standard output and standard error streams
 
|when a remote command is executed, generate IO events containing the command's standard output and standard error streams
Line 59: Line 61:
 
|false
 
|false
 
|do not generate IO events of the command's output and error streams
 
|do not generate IO events of the command's output and error streams
 +
|-
 +
|line
 +
|IO events are generated for each line of the command's standard output and standard error streams
  
 
|-
 
|-
Line 73: Line 78:
  
 
{| class="wikitable"
 
{| class="wikitable"
!ID
+
!width=160 |ID
 
!width=160 |Value
 
!width=160 |Value
 
!R/W
 
!R/W
Line 79: Line 84:
  
 
|-
 
|-
|rowspan="2" |connection
+
|rowspan="3" |connection
 
|online
 
|online
 
|R
 
|R
Line 87: Line 92:
 
|R
 
|R
 
|SSH connection closed
 
|SSH connection closed
 +
|-
 +
|close
 +
|W
 +
|closes the SSH connection
  
 
|-
 
|-
|rowspan="2" |exec
+
|exec
|<command string>
+
|rowspan="2" |<command string>
|W
+
|rowspan="2" |W
|executes the command passed as value
+
|rowspan="2" |executes the command passed as value.
 +
An optional command execution timeout in seconds defines how long the command is allowed to wait reading from stdout and stderr. The default is 30 seconds
 +
|-
 +
|exec.<timeout>
 
|-
 
|-
 +
|exec
 
|&lt;exit status&gt;
 
|&lt;exit status&gt;
 
|R
 
|R
Line 129: Line 142:
 
|&lt;source&gt; &lt;destination&gt;
 
|&lt;source&gt; &lt;destination&gt;
 
|W
 
|W
|copy the local source file to the remote server's destination path name.<br>The source and destination string in value should be separated by one or more spaces.<br>Always use the "/" character as path separator.<br>Use "\" as the escape character if the file names have spaces.<br>The source directory must exist and cannot be outside of the HSYCO's base directory, or the command will fail. If the source name doesn't have a path, the file will be written to the HSYCO's base directory.<br>The file will be saved to the remote server with 600 (owner's only read and write) permission
+
|copy the local source file to the remote server's destination path name.<br>The source and destination string in value should be separated by one or more spaces.<br>Always use the "/" character as path separator.<br>Use "\" as the escape character if the file names have spaces.<br>The source file cannot be outside of the HSYCO's base directory, or the command will fail. If the source name doesn't have a path, the file will be read from the HSYCO's base directory.<br>The file will be saved to the remote server with 600 (owner's only read and write) permission
 
|-
 
|-
 
|&lt;exit status&gt;
 
|&lt;exit status&gt;
Line 136: Line 149:
 
* the total number of transferred bytes (should be equal to the actual file size)
 
* the total number of transferred bytes (should be equal to the actual file size)
 
* "error" if the file transfer failed
 
* "error" if the file transfer failed
 +
 +
|-
 +
|user
 +
|&lt;user name&gt;
 +
|W
 +
|overrides the "user" configuration parameter. This command can only be used when persistentconnection=false, and becomes effective after the current connection is closed. Set <user name> to an empty string to restore the original settings
 +
 +
|-
 +
|password
 +
|&lt;user password&gt;
 +
|W
 +
|overrides the "password" configuration parameter. This command can only be used when persistentconnection=false, and becomes effective after the current connection is closed. Set <user password> to an empty string to restore the original settings. A PEM file name (containing a private key) can be used instead of password for public-key authentication
  
 
|-
 
|-
Line 215: Line 240:
  
 
== Release Notes ==
 
== Release Notes ==
 +
=== 3.8.0 ===
 +
* a PEM file name (containing a private key) can be used instead of password for public-key authentication
 +
 +
=== 3.7.0 ===
 +
* the SSH I/O Server is now "free". Using it doesn't decrease the number of available I/O servers
 +
* new exec.<timeout> data point. Sets the command execution timeout in seconds; defaults to 30
 +
* new connection = close command: closes the SSH connection
 +
* new user = <user name> command; overrides the user configuration parameter
 +
* new password = <user password> command; overrides the password configuration parameter
 +
* new stdout=line option
 +
 
=== 3.4.0 ===
 
=== 3.4.0 ===
 
* added support for the "keyboard-interactive" authentication method
 
* added support for the "keyboard-interactive" authentication method
 
=== 3.3.0 ===
 
=== 3.3.0 ===
 
* initial release
 
* initial release

Latest revision as of 15:51, 22 March 2023

Secure Shell (SSH) is a cryptographic network protocol for secure data communication, remote command-line login, remote command execution, and other secure network services between two networked computers that connects, via a secure channel over an insecure network, a server and a client (running SSH server and SSH client programs, respectively).

The best-known application of the protocol is for access to shell accounts on Unix-like operating systems, but it can also be used in a similar fashion for accounts on Windows.

It was designed as a replacement for Telnet and other insecure remote shell protocols, which send information, notably passwords, in plaintext, rendering them susceptible to interception and disclosure using packet analysis.

The encryption used by SSH is intended to provide confidentiality and integrity of data over an unsecured network, such as the Internet.

The SSH I/O Server implements the SSH-2 version of the protocol, and supports remote command execution and the SCP protocol for bidirectional file transfer. It uses HSYCO data points to execute commands and return command status, making it easy to use the SSH protocol in EVENTS, as well as JavaScript and Java.

The SSH I/O Server establishes a single SSH connection to the server, using keyboard-interactive or password-based authentication, and creates individual sessions to execute single commands.

Note Commands are executed sequentially, not in parallel.

SSH Remote Server Configuration

The remote system should be configured to accept the SSH connection from the HSYCO server using the username and password defined in the I/O Server’s options.

If you need to execute operating system’s commands with superuser privileges (with the sudo program), the remote user name defined with the user option in the SSH I/O Server configuration must be allowed to execute “sudo” commands without asking for a password.

For example, if the user is hsyco, you could add the line:

hsyco ALL=(ALL:ALL) NOPASSWD: ALL

at the end of the /etc/sudoers file (use the visudo command to edit the /etc/sudoers file).

Note If the username and password are correct, but the remote server refuses the authentication (you will see a "Password authentication failed." message in the logs and the I/O Server will keep restarting), the most probable cause is that the remote SSH server is configured to refuse the "keyboard-interactive" or "password" authentication type. To make it work, you should change the remote server's configuration to enable either keyboard-interactive or password authentication.

HSYCO Configuration

Add an SSH I/O Server in the I/O Servers section of the Settings and set its parameters:

Note that the SSH I/O Server doesn't count in the I/O servers license total, so you don't need an extra I/O Server license to use SSH with HSYCO.


Communication

  • IP Address: IP address of the remote device
  • IP Port: IP port enabled for the SSH service on the remote device, leave blank for default port 22.

Authentication

  • User: username for authentication on the remote device
  • Password: password. A PEM file name (containing a private key) can be used instead of password for public-key authentication

High Availability

  • Shutdown when inactive: defaults to false.

Options

ID Default Values Description
stdout true true when a remote command is executed, generate IO events containing the command's standard output and standard error streams
false do not generate IO events of the command's output and error streams
line IO events are generated for each line of the command's standard output and standard error streams
persistentconnection true true the I/O Server establishes the SSH connection at start-up and keeps it open across multiple commands. Commands execution is faster, but a small amount of network traffic is present, even when no commands are executed, to keep the connection open
false the I/O Server will not establish a connection to the remote server until a command is executed. The connection is closed 30 seconds after the execution of the last command

Datapoints

ID Value R/W Description
connection online R SSH connection established (with successful authentication)
offline R SSH connection closed
close W closes the SSH connection
exec <command string> W executes the command passed as value.

An optional command execution timeout in seconds defines how long the command is allowed to wait reading from stdout and stderr. The default is 30 seconds

exec.<timeout>
exec <exit status> R
  • the command's exit status number
  • "error" if the command could not be sent to the remote server
  • "null" if the remote server failed to return an exit status code (some SSH servers do not return the exit status)
err <error stream> R the executed command standard error stream, with lines separated by "<br>", or an empty string if the command's error stream is empty
out <error stream> R the executed command standard output stream, with lines separated by "<br>", or an empty string if the command's output stream is empty
get <source> <destination> W retrieves the remote source file and writes it locally to the destination path name.
The source and destination string in value should be separated by one or more spaces.
Always use the "/" character as path separator.
Use "\" as the escape character if the file names have spaces.
The destination directory must exist and cannot be outside of the HSYCO's base directory, or the command will fail. If the destination name doesn't have a path, the file will be written to the HSYCO's base directory
<exit status> R
  • the total number of transferred bytes (should be equal to the actual file size)
  • "error" if the file transfer failed
put <source> <destination> W copy the local source file to the remote server's destination path name.
The source and destination string in value should be separated by one or more spaces.
Always use the "/" character as path separator.
Use "\" as the escape character if the file names have spaces.
The source file cannot be outside of the HSYCO's base directory, or the command will fail. If the source name doesn't have a path, the file will be read from the HSYCO's base directory.
The file will be saved to the remote server with 600 (owner's only read and write) permission
<exit status> R
  • the total number of transferred bytes (should be equal to the actual file size)
  • "error" if the file transfer failed
user <user name> W overrides the "user" configuration parameter. This command can only be used when persistentconnection=false, and becomes effective after the current connection is closed. Set <user name> to an empty string to restore the original settings
password <user password> W overrides the "password" configuration parameter. This command can only be used when persistentconnection=false, and becomes effective after the current connection is closed. Set <user password> to an empty string to restore the original settings. A PEM file name (containing a private key) can be used instead of password for public-key authentication


Note The exec, err, out, get and put data points will trigger the IO events at the end of the command's execution even if the value is not changed. This allows you to easily intercept the exit status and other return information.

Examples

Note In the following examples, we assume that the id of the SSH I/O Server is "ssh".

Remote Command Execution

Reboot a remote system at midnight.

TIME 0000 : IO ssh.exec = "sudo reboot"

Turn off screen at midnight.

TIME 0000 : IO ssh.exec = "sudo vbetool dpms off"

Turn on screen at 7 o' clock.

TIME 0700 : IO ssh.exec = "sudo vbetool dpms on"

File Transfer

At midnight, copy HSYCO's internal database backup to a remote server.

TIME 0000 : 	IO ssh.put = "data_backup/hsyco.data /tmp/data_backup/hsyco.data",
		IO ssh.put = "data_backup/hsyco.properties /tmp/data_backup/hsyco.properties",
		IO ssh.put = "data_backup/hsyco.script /tmp/data_backup/hsyco.script"

Interactive Remote Command Project

Create a simple interactive command console in HSYCO.


SSH example inteactive command interface.png

The project's file

(#skin blue)
(#language it)
(#size 980x640)
(#style body-background-color=#FF00FF; pages-background-color=#770077)
(#uiset $exec.eraseicon=true)

(header SSH)

(menu)
	(text!stderr r5c3;; (width:600px; text-align:left; height:400px; font-family:Courier New, Courier, monospace))
	(text!stdout r5c3;; (width:600px; text-align:left; height:400px; overflow:auto; font-family:Courier New, Courier, monospace))
	(input!$exec r4c3; (width:600px; font-family:Courier New, Courier, monospace); input)
	(text r1c1; $; font-size:200px)
	(text!exitcode r4c9;; font-size:24px)
(endofmenu)


Events logic

USER "$exec" : IO ssh.exec = $exec, UISET "$exec.focus" = true
IO ssh.out : UISET stdout.text = IO ssh.out
IO ssh.err : UISET stderr.text = IO ssh.err
IO ssh.exec : UISET exitcode.text = IO ssh.exec

Release Notes

3.8.0

  • a PEM file name (containing a private key) can be used instead of password for public-key authentication

3.7.0

  • the SSH I/O Server is now "free". Using it doesn't decrease the number of available I/O servers
  • new exec.<timeout> data point. Sets the command execution timeout in seconds; defaults to 30
  • new connection = close command: closes the SSH connection
  • new user = <user name> command; overrides the user configuration parameter
  • new password = <user password> command; overrides the password configuration parameter
  • new stdout=line option

3.4.0

  • added support for the "keyboard-interactive" authentication method

3.3.0

  • initial release