ssh-cron - cron-like daemon able to use ssh-connections
ssh-cron [OPTIONS] [crontab-file]
[OPTIONS] - cf. section OPTIONS
[crontab-file] - file containing jobs to run.
Consider the situation where a computer every now and then must
access a remote computer to do some useful things at that remote computer
(like running a stealth(1) file integrity scan). In order to do so
the computer must be allowed to make ssh(1) connections to the remote
computer. But since the commands are not executed by the user but by
cron(1), the ssh-keys which are required to access the remote
computer cannot use passphrases.
This is an undesirable situation: if the computer running the
ssh commands gets compromised, then the remote computers are
compromised as well, since the attacker may access these remote systems
using ssh keys not requiring pass phrases.
Ssh-Cron offers a way out of this undesirable situation,
while still allowing commands to be executed on remote computers.
Here’s how this is realized:
- o
- Normally, ssh-cron runs as a daemon program. When ssh-cron
starts it first reads and parses a crontab-like specification file.
Following this, ssh-cron spawns a child process, and
terminates.
- o
- Ssh-Cron’s daemon process itself spawns an
ssh-agent(1) child process, executing all scheduled commands.
- o
- In addition, ssh-cron’s daemon defines communcation channels
between itself and its ssh-agent(1) child process;
- o
- Ssh-Cron’s daemon sends the command ssh-add(1) to its
child process as its first command to execute, and using normal
user-interaction means (e.g., using ssh-askpass(1))
ssh-agent is provided with the required passphrase(s) for the ssh
key(s).
- o
- Ssh-Cron’s daemon now monitors the time, firing off
scheduled commands at their required moments in time. If these commands
require access to remote computers, then this access is granted, as
ssh-agent is able to provide the passphrase(s).
- o
- If an ssh-cron daemon process is already running, then the
--reload option (see below), can be used to load the
ssh-cron daemon with the commands and environment variable settings
from another crontab-file, replacing the currently stored commands
and environment settings by the ones provided in the reloaded file.
When shell control characters (like redirection symbols) must be
used in command specifications, they should be escaped. E.g., as in echo
hello world \> /dev/null.
Users sharing a computer each define their own ssh-cron
specification file. When a user logs out and leaves the system the daemon
process continues to run, executing its scheduled commands at their
scheduled times, using ssh-keys whenever required.
If the accounts for which ssh-cron jobs are running are
ever compromised, the remote computers remain safe, as the passphrases of
the available ssh-keys remain unavailable.
To prevent unauthorized modifications of the commands scheduled by
the ssh-cron daemon themselves a passphrase is required when starting
ssh-cron’s daemon process. The passphrase itself is not stored
by the daemon (instead, it stores a sha256(1) hash value), which
avoids access to the ssh-cron daemon’s passphrase by browsing
the computer’s memory. The passphrase may be empty, but even then
that empty passphrase must be provided when reloading ssh-cron
daemon’s scheduled commands. The scheduled commands may be listed,
however. This is allowed without providing a passphrase since the file
containing the scheduled commands will usually also be available on the
computer. Likewise, since a user may always terminate his/her own programs
an ssh-cron daemon process can be terminated from another
ssh-cron program using the --terminate command line
option.
The above-mentioned facilities are not supported by
crontab(1) itself. Cron(1), which is responsible for executing
scheduled crontab commands, has no access to the passphrases of ssh-keys
(which are otherwise provided ssh-agent).
Ssh-Cron returns 0 if the daemon was successfully started.
Otherwise 1 is returned.
Where available, single letter options are listed between
parentheses following their associated long-option variants. Single letter
options require arguments if their associated long options also require
arguments.
Several options have default values. Run ssh-cron --help
for an overview of the implemented default option values. Also, several
options can be specified in a configuration file (where this doesn’t
hold true, it is explicitly mentioned at the relevant options).
The configuration file (not to be confused with the file
containing the scheduled commands, which is provided as ssh-cron
command-line file argument) ignores empty lines and all information on lines
starting at a hash-mark (#, optionally preceded by blanks and/or
tabs). The configuration file is used to specify ssh-cron’s
options using their long variants. However, in the configuration file the
initial hyphens of command-line options must be omitted, and optionally a
colon may be appended to these long options names. Note that multi-word
option arguments should not be surrounded by quotes. Examples:
stdout
syslog-facility: LOCAL0
mailer: /usr/bin/mail -s "some subject" me@myhost.warpnet.nl
Command-line options always override configuration file options.
- o
- --agent=agent
absolute path to the agent program (plus its argument(s)) providing the
ssh-keys.
- By default /usr/bin/ssh-agent /bin/bash is used.
- o
- --config=path (-c)
config file containing long option specifications.
- By default ~/.ssh-cron is used.
- This option cannot be specified in the configuration file.
- o
- --forced (-f)
When restarting ssh-cron and an existing (leftover) ipc-file file
exists, then the user is interactively given the opportunity to remove the
existing ipc-file during daemon-startup.
- o
- --help (-h)
basic usage information is written to the standard output stream (only
interpreted in combination with --no-daemon).
- This option cannot be specified in the configuration file.
- o
- --ipc-file=path (-p)
when ssh-cron runs as a daemon, then path specifies the path
of the file holding the daemon’s shared memory ID and process ID.
The ipc file must be available if ssh-cron is connecting to or
starting a daemon process (the former situation occurs with the options
--list, --reload, and --terminate). If ssh-cron
detects an existing ipc-file at daemon startup and the option
--forced was not specified, then the user is interactively given
the opportunity to remove the existing file. If the existing ipc-file can
or should not be removed, then the daemon is not started. To end a daemon
process use ssh-cron --terminate, or send a SIGINT
(ctrl-C) or SIGTERM signal to the process-id found as the second
value in the ipc-file.
- By default ~/.ssh-cron.ipc is used.
- o
- --list (-l)
list the currently defined environment settings and cron-commands (the
crontab-file argument must be omitted). This option is incompatible
with (--no-daemon, --reload,) and --terminate.
- This option cannot be specified in the configuration file.
- o
- --log=path (-L)
log messages are appended to path. If path does not exist, it
is created first.
- o
- --mailer=command (-m)
information written to the standard output or standard error streams of the
commands executed by ssh-cron is sent by e-mail to the current
user. Use --mailer to redefine (or to suppress sending e-mail by
specifying an empty mailer command (i.e., --mailer
"")).
- By default /usr/bin/mail -s \"Ssh-cron $*\"
$USER@localhost is used, with $* replaced by the exected
command as specified in the crontab file argument.
- o
- --no-daemon
ssh-cron is not run as a daemon. To properly end ssh-cron if
not running as a daemon, press the `Enter’ key, enter ctrl-C
or send ssh-cron a SIGTERM signal. This option is
incompatible with ( --list, --reload,) and --terminate.
- This option cannot be specified in the configuration file.
- o
- --reload (-r)
reload the ssh-cron daemon with de cron-commands defined in the
crontab-file argument (which must be provided). This option is
incompatible with (--list, --no-daemon,) and --terminate.
- This option cannot be specified in the configuration file.
- o
- --stdout (-s)
in addition to using a log file and syslog messages send all messages to the
standard output. This option is not available if ssh-cron runs as a
daemon process.
- This option cannot be specified in the configuration file.
- o
- --syslog
messages are sent to the syslog daemon when this option is specified. By
default syslog messages are written to the DAEMON facility with
priority NOTICE.
- o
- --syslog-facility=facility
the facility that is used to write the syslog messages to. By default this
is DAEMON. For an overview of facilities and their meanings, see,
e.g., syslog(3). With ssh-cron the facilities DAEMON,
LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7, and
USER can be used.
- By default facility DAEMON is used.
- o
- --syslog-priority=priority
the priority that is used to write the syslog messages to. By default this
is NOTICE. For an overview of priorities and their meanings, see,
e.g., syslog(3). With ssh-cron all defined priorities can be
used. E.g., EMERG, ALERT, CRIT, ERR, WARNING, NOTICE, INFO and
DEBUG.
- By default priority NOTICE is used.
- o
- --syslog-tag=tag
syslog messages can be provided with a tag, which can be used to
filter them from the log-files. See also section RSYSLOG
FILTERING below.
- By default the tag SSH-CRON is used.
- o
- --terminate (-t)
terminate a running ssh-cron daemon program, using the
daemon’s process ID found in the ipc-file’s second value.
The crontab-file argument must be omitted. This option is
incompatible tt with (--list, --nodaemon,) and --reload . This
option cannot be specified in the configuration file.
- o
- --verbose
additional messages about ssh-cron’s mode of operation are
sent to ssh-cron’s log facilities (specified by --log,
--syslog, and/or --stdout).
- o
- --version (-v)
ssh-cron’s version number is written to the standard output
stream.
- This option cannot be specified in the configuration file.
When using rsyslogd(1) property based filters may be used
to filter syslog messages and write them to a file of your choice. E.g., to
filter messages starting with the syslog message tag (e.g., SSH-CRON)
use
:syslogtag, isequal, "SSH-CRON:" /var/log/ssh-cron.log
:syslogtag, isequal, "SSH-CRON:" stop
Note that the colon is part of the tag, but is not specified with
the syslog-tag option.
This causes all messages having the SSH-CRON: tag to be
written on /var/log/ssh-cron.log after which they are discarded. More
extensive filtering is also supported, see, e.g.,
http://www.rsyslog.com/doc/rsyslog_conf_filter.html and
http://www.rsyslog.com/doc/property_replacer.html
cron(1), crontab(1), crontab(5), ,
rsyslogd(1), ssh(1), ssh-add(1), ssh-agent(1),
ssh-askpass(1), stealth(1), syslog(3)
This is free software, distributed under the terms of the `GNU
General Public License’. Copyright remains with the author.
ssh-cron is available at
https://fbb-git.github.io/ssh-cron/.
Center for Information Technology, University of Groningen.
Frank B. Brokken (f.b.brokken@rug.nl).