Yes, all of my Hobbit clients have ssh authorized_keys setup to allow the Hobbit server in without password. In the case where I need to run a script on the Hobbit client under a different userid than 'hobbit', that other userid also has the Hobbit servers pubkey in its authorized_keys file. Alternately, you gould use setuid scripts on the client (very unsecure), or use "expect" in your Hobbit server scripts and "sudo" on the client end to gain access to the userid you need. This second expect/sudo route is doable, but messy and requires you to have the 'hobbit' password from the client end stored on your server (not the most secure thing).
When coworkers ask me to use Hobbit to "fix" something on their client end I council them that Hobbit really is an alerting system and not a repairing system. But if they really want me to attempt an automated "repair", then they have to put my pubkey into their authorized_keys files, therefore giving me full access to their userid on the client machine. I also mandate that if they want me to restart a process, that I will only kill it. The restart must be their responsibility (using a local cronjob or whatever). This further insulates me from any political fallback regarding a failed automated repair attempt on an errant process. Further insolation for me is provided by me informing everyone (management too) that they can shut off my automated Hobbit repairs at any time, instantaneously, by simply removing my pubkey from their authorized_keys file(s). It's called "CYA" for when I am pressured to make Hobbit do something that it rally wasn't designed for.
-----Original Message----- From: Chris Wopat [mailto:chrisw at supranet.net] Sent: Friday, April 11, 2008 12:51 PM To: hobbit at hswn.dk Subject: Re: [hobbit] Hobbit client executing a script to be proactive if a problem occurs?
Haertig, David F (Dave) wrote:
Here is how I execute a remote "pkill" on a client. Replace "client_server" with your client hostname, and replace "client_userid" with the userid (on the client) that you want to run the script (pkill) under. Also, set up ssh pubkey authentication between the Hobbit server and client so that ssh does not prompt you for a password.
hobbit_alerts.cfg:
<snip>
Thanks, this is exactly what I needed to get started. I can un-wrap the lines no problem, only a few were anyway.
I'm assuming you're using ssh keys? My current hobbit server installation (from FreeBSD ports) has no home dir set, so it looks like I'll have to set one to store its side of the keys.
--Chris
To unsubscribe from the hobbit list, send an e-mail to hobbit-unsubscribe at hswn.dk