Because I have expanded my local network with a Raspberry Pi 3 permanently, as that runs my DNS service, I had to work out a solution how I can execute remote commands there to run checks from my main server. I will explain it in this article.
Overview about the solution
What I wanted to reach to execute commands over SSH without typing password every single time as these checks are run from jobs by cron. I created new user on both server, called agent, then I generated SSH keys them and setup them as authorized keys. After it, I wrote a short script to make it easier in the “every day life”.
To perform the following steps, sudo authority is required!
User creation
Both server I have created an new user, called agent with the next command. Further commands was home directory and SSH directory.
sudo useradd agent mkdir /home/agent mkdir /home/agent/.ssh
Next step is to generate SSH keys. it can be done by ssh-keygen utility. It has several parameter options, I just simply used a basic option to generate it.
ssh-keygen -t rsa
During creation, do not specify password, leave that field empty. I have generated it onto the /home/agent/.ssh/id_rsa directory directly on both server.
What do we have now? We have agent user on both server. As we did not set password them, they are not logonable during SSH. We also have their SSH keys. Next step is to setup that they should “trust in each other” to prevent to ask password.
It can be by copy public key as authorized_keys in cross. I usually use rsync utility to copy files between systems, I did it now too:
On pihome system: rsync /home/agent/.ssh/id_rsa.pub [email protected]:/home/agent/.ssh/authorized_keys On atihome system: rsync /home/agent/.ssh/id_rsa.pub [email protected]:/home/agent/.ssh/authorized_keys
Last step is to setup ownership of their home directory on both server:
sudo chown -R agent:agent /home/agent
How can it be used?
Agent users can execute command on cross system by using SSH utility. Sample command what performs command on my Pi in remote:
sudo -u agent ssh [email protected] free -h
Although, agent users cannot login onto systems directly, as we did not specify their passwords, but as their “trust in each other” they can execute commands remotely. With sudo -u <username> command we can execute command behalf of other operators. This is the way how it generally works.
Note: at the first command, we need to type yes but later it will not ask anything.
You can also add agent users into sudoers.d directory if you mind and would like to execute sudo commands with them. Execute these commands on both machine:
su usermod -aG sudo agent echo "agent ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/010_agent-nopasswd
Let’s make it more comfortable
I wrote a short bash script, and saved it into /usr/share/monitor/rmtcmd.sh file. I made a link to /bin directory:
sudo ln -s /usr/share/monitor/rmtcmd.sh /bin/rmtcmd
This is there on both system and makes the cross command execution more handy for me. Syntax is simple for the command with some example
sudo rmtcmd <hostname> <command> sudo rmtcmd pihome.local df -h sudo rmtcmd atihome.local uname -a
Script is short, it does not takes too much. It checks that the user is root, checks that parameters are not empty, then execute the ssh command above.
#!/usr/bin/bash
if [[ $(whoami) != "root" ]]
then
echo "Only root can run it"
exit 20
fi
server=${1}
cmd=""
i=2
while [[ ${i} -le ${#} ]]
do
eval "actParm=\${$i}"
cmd="${cmd}${actParm} "
i=$((i + 1))
done
if [[ -z ${server} ]]
then
echo "No server is specified"
exit 20
fi
if [[ -z ${cmd} ]]
then
echo "No command is specified"
exit 20
fi
sudo -u agent ssh agent@${server} ${cmd}
exit 0
This script can be used easily (at least for me). It can be called in other scripts on in pipe lines. For example, to ask how much available memory my Pi has (in kB):
sudo rmtcmd pihome.local cat /proc/meminfo | grep "MemAvailable:" | awk '{print $2}'
Final words
This is, how I solved my problem. If you need similar function, I hope this small descriptiont helped you to run through and solved your similar problem too.
