Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I agree with the general idea. An 'expect' script can log into multiple servers and get that information alright.
HOWEVER..
1. Expect would work serially.So at a rate of ~3 seconds per server, you are looking at a script execution time of upwards of 50 minutes.
2. The output is *not* pretty and takes extra special care if you want to redirect/log them to a file etc.
3. Needs a timeout value for ssh failure etc, else the script can run for much much longer time.
4. Since the passwords are different,you are going to have to handle the loop iteration (I use 'for') with special care too. Many organizations use a single domain userID to run automation or vulnerability analysis on their fleet of servers and can help in such scenarios.
It is one thing to pull data from a 5-10 servers or do small tests etc rather than take on a fleet of thousands. Ansible definitely gets my vote as others have mentioned.
If the OP can't even do an SSH keyswap onto these servers (post #1), chances are they won't be able to install anything else either. As TenTenths says, 600+ isn't unusual, but the OP seems to be a help-vampire, and I'm guessing (based on this and previous posts), that this is a homework question of some sort.
Either way, they have not answered or shown any effort of their own.
Distribution: openSUSE, Raspbian, Slackware. Previous: MacOS, Red Hat, Coherent, Consensys SVR4.2, Tru64, Solaris
Posts: 2,820
Rep:
Quote:
Originally Posted by Turbocapitalist
If you do not have keys, then you might be stuck running expect and entering a lot of passwords. It is a TCL derivative.
Expect could easily read hostname and password from a file, connect to each of the hosts, issue commands to collect information, and stash it into a host-specific log file (to be parsed later and stashing information into a database perhaps). It'd take some effort to write the Expect script but doable. Expect/Tcl scripts are sort of fun to write.
Expect could easily read hostname and password from a file, connect to each of the hosts, issue commands to collect information, and stash it into a host-specific log file (to be parsed later and stashing information into a database perhaps). It'd take some effort to write the Expect script but doable. Expect/Tcl scripts are sort of fun to write.
Personally, if I found out someone I hired to be an administrator for 1,000 servers keep root-level user names and passwords in a CLEAR TEXT file, and used an expect script to contact them all, I'd look for another administrator.
Personally, if I found out someone I hired to be an administrator for 1,000 servers keep root-level user names and passwords in a CLEAR TEXT file, ...
One place I saw tried keeping them in a M$ Word file on a Windows server. Any accounts recorded there were cracked immediately. It did not take too long to find the leak, however neither the secretary nor the Windows admin(s) were let go. The latter really needed to go.
Another place I saw actually kept an extensive plain text password file not just on a Windows server but also even in a public web directory on it available for the world to peruse. When a student pointed that out, they sued him for "hacking" and ran a series of smear articles in the local papers maligning him while lying about the infrastructure. The whole staff there really needed to be dismissed, but weren't.
I'll give the OP the benefit of the doubt, for now. Maybe this is a cleanup task. But as mentioned many times by people in this thread, SSH keys or SSH certificates are the way to go and the script's only task should be to deploy them.
One place I saw tried keeping them in a M$ Word file on a Windows server. Any accounts recorded there were cracked immediately. It did not take too long to find the leak, however neither the secretary nor the Windows admin(s) were let go. The latter really needed to go.
Another place I saw actually kept an extensive plain text password file not just on a Windows server but also even in a public web directory on it available for the world to peruse. When a student pointed that out, they sued him for "hacking" and ran a series of smear articles in the local papers maligning him while lying about the infrastructure. The whole staff there really needed to be dismissed, but weren't.
I've seen similar things as well. Had this one guy years ago who paid the a__hole tax with us, because he was just plain nasty. Got a new server set up, and everything working, and gave them the speech about keeping passwords to themselves, etc. He yelled his out at the top of his lungs, and said, "You people don't know ****, and I'll do what I want!".
Cue six months later, when someone at his firm got sick of him, logged in as him and PGP encrypted every one of his files, and he wanted us to crack them. Had to explain that a 2048 bit key would take quite some time. Ranting and raving got nothing, as the person who left also encrypted the backup tapes.
Quote:
I'll give the OP the benefit of the doubt, for now. Maybe this is a cleanup task. But as mentioned many times by people in this thread, SSH keys or SSH certificates are the way to go and the script's only task should be to deploy them.
I'm betting this is a homework question, personally.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.