Hi,
Thanks very much for the reply – I got it to work.
FYI, my config now looks like this:
On the hobbit server:
bb-hosts:
x.x.x.x servername # ssh-tunnel
hobbitlaunch.cfg:
[ssh-tunnel]
ENVFILE /usr/lib/hobbit/server/etc/hobbitserver.cfg
CMD $BBHOME/ext/ssh-tunnels.sh
LOGFILE $BBSERVERLOGS/ssh-tunnels.log
INTERVAL 1mssh-tunnesl.sh script location and permissions:
-rwxr-xr-x 1 root root 5469 Aug 15 09:05 /usr/lib/hobbit/server/ext/ssh-tunnels.sh
On the client in the DMZ:
/usr/lib/hobbit/client/etc/hobbitclient.cfg:
BBDISP="127.0.0.1"
I wasn’t sure about this, but when trying to restart hobbit-client, it insists on “Please configure HOBBITSERVERS in /etc/default/hobbit-client”, so I changed it as follows:
/etc/default/hobbit-client:
HOBBITSERVERS="127.0.0.1"
Then I noticed that var/log/hobbit/ssh-tunnels.log on the server reports “ssh:servername: Name or service not known”, so I added an entry to the hobbit server’s hosts file in /etc/hosts:
x.x.x.x servername
Then I noticed that var/log/hobbit/ssh-tunnels.log reports “Host key verification failed.”, so I ran the following command once (as the hobbit user) to add the client’s host key to the server’s known_hosts file:
su – hobbit
$ ssh servername
After restarting the hobbit-client and the hobbit server, the web page updated correctly.
I can verify that the ssh tunnel is up:
ps –ef | grep ssh
hobbit 2187 1 0 09:59 ? 00:00:00 ssh -fnNR 1984:hobbit:1984 servername
Thanks a lot for your help.
Johan
From: Lennon, Padraig [mailto:Padraig.Lennon at pioneerinvestments.com] Sent: 17 August 2008 12:41 To: hobbit at hswn.dk Subject: RE: [hobbit] need help in monitoring edmz client
Hi Johan,
The script should be used on the hobbit server, NOT the client side as you are checking that the link from the server to the client is ok. It is bad practice to run the software as root. You should really use a dedicated user for the installs of hobbit.
You should setup ssh public/private key between the hobbit application user (normally hobbit or something similar) and whatever user you used on the client. This is normally hobbit too
An example of the bb-host entry is the following
0.0.0.0 server.domain.com # noconn ssh-tunnel (You should leave the noconn there if you do not allow outgoing pings to the DMZ host.
This is an example of my client hobbitclient.cfg file (at the top) - Change the BBDISP (this may have changed in 4.3??)
Environment settings for the Hobbit client.
BBDISP="127.0.0.1" # IP address of the Hobbit server
regards
Padraig Lennon
Senior Systems Engineer
Production Services
Pioneer Global Investments (Dublin)
5th Floor Georges Quay Plaza, Dublin 2
ext: 2081
Direct dial: 00353 1 480 2081
From: Johan Booysen [mailto:johan at matrix-data.co.uk] Sent: 15 August 2008 11:22 To: hobbit at hswn.dk Subject: RE: [hobbit] need help in monitoring edmz client
I wonder if you’d mind helping me out on this.
I’ve followed the instructions on http://www.trantor.org/theshire/doku.php/addons:ssh_tunnel, but must be missing something somewhere.
I’ve got the following:
Password-less ssh between the server and the clients (for both hobbit and root users, to be sure)The ssh-tunnels script copied to the appropriate location, chmodded to 750:-rwxr-xr-x 1 root root 5469 Aug 15 09:05 /usr/lib/hobbit/server/ext/ssh-tunnels.sh
Added the following to /usr/lib/hobbit/server/etc/hobbitlaunch.cfg:[ssh-tunnel] ENVFILE /usr/lib/hobbit/server/etc/hobbitserver.cfg CMD $BBHOME/ext/ssh-tunnels.sh LOGFILE $BBSERVERLOGS/ssh-tunnels.log INTERVAL 1m
Appended the following to client entries in bb-hosts (deliberately trying both ssh_tunnels and ssh_tunnel):10.2.0.5 servername ssh_tunnels 10.2.0.6 servername ssh_tunnel
On the clients I’ve got this in /etc/default/hobbit-client:HOBBITSERVERS="127.0.0.1"
So the one thing I’m missing is where to set BBDISPLAY to 127.0.0.1 on the client. Is this different from having HOBBITSERVERS="127.0.0.1" in /etc/default/hobbit-client?
Restart the hobbit server, but the above don’t seem to be doing the trick. /var/log/hobbit/ssh-tunnels.log is empty at this stage.
Would appreciate it if you could tell me if I’ve missed out on something somewhere, or the best way of troubleshooting this. The way I’ve done it before with the ssh tunnels being established via /etc/rc.local does not appear work out as well as I thought it would.
Thanks.
From: Lennon, Padraig [mailto:Padraig.Lennon at pioneerinvestments.com] Sent: 14 August 2008 17:05 To: hobbit at hswn.dk Subject: RE: [hobbit] need help in monitoring edmz client
Not sure if this is of any use to you Johan..
I have a server side script which controls the ssh tunnels to my windows/*nix clients which are in the DMZ
Basically it requires that you put a tag at the end of the client name in bb-hosts called ssh-tunnel
Its hardly a work of art but it works ok for us.. If it sees the connection is down it will warn and continue to retry the connection..
Hope this helps..
regards
Padraig Lennon
Senior Systems Engineer
Production Services
Pioneer Global Investments (Dublin)
5th Floor Georges Quay Plaza, Dublin 2
ext: 2081
Direct dial: 00353 1 480 2081
From: Johan Booysen [mailto:johan at matrix-data.co.uk] Sent: 14 August 2008 16:57 To: hobbit at hswn.dk Subject: RE: [hobbit] need help in monitoring edmz client
I want to be able to monitor 2 hosts in the dmz.
Having su -c "ssh hobbit at hobbitclient -T -n -N -g -x -R1984:127.0.0.1:1984" hobbit in /etc/rc.local seems to work for the first host. I added a second line like that for a second host, but it doesn’t work for the second host unless I execute the command manually – at which point both dmz hosts report back.
Does anyone know why this is happening and how I can get it to work?
Thanks.
From: Johan Booysen [mailto:johan at matrix-data.co.uk] Sent: 14 August 2008 14:02 To: hobbit at hswn.dk Subject: RE: [hobbit] need help in monitoring edmz client
This works for me (RHEL5 machines), if it helps anyone else. Any comments most welcome:
Create the .ssh folder (on both the hobbit server and the hobbit client) in /var/lib/hobbit as root, chown it to hobbit:hobbit, and chmod it to 700.
On the hobbit server, now as the hobbit user:
Generate a private/public keypair with an empty password:
$ pwd
/var/lib/hobbit
$ ssh-keygen -t dsa
Copy the generated public key to the hobbit client:
$ scp .ssh/id_dsa.pub hobbit at hobbitclient:/var/lib/hobbit
On the hobbit client:
Rename the public key:
$ mv id_dsa.pub authorized_keys
Copy the authorized_keys file to the user’s .ssh directory.
$ mv authorized_keys .ssh/
Check that the authorized_keys file has the following permissions:
-rw-r--r-- 1 hobbit hobbit 603 Aug 14 12:16 authorized_keys