views:

736

answers:

4

I have a Perl Expect.pm script that does some moderately complex stuff like packaging applications, deploying the application, checking for logs, etc. on multiple remote unix hosts.

My predecessor had written similar scripts using rsh.

Is there a better approach between the two? Or should I use something all together different?

I am guessing somebody will bring up SSH; it's basically replacement for rsh, right? Unfortunately, however SSH is not an option for me right now.

Another thing I should add is that after logging in I need to be able to SUDO to a particular user to do most of the actions on the remote hosts.

+2  A: 

They do different things. Expect is a way to script what would otherwise be manual responses. rsh -- remote shell, not restricted shell, an unfortunate name clash -- allows you to run commands remotely on another system.

That said, the security holes and other disadvantages of using rsh to do remote commands, run sudo, etc, are immense.

Charlie Martin
But expect also allows to telnet to remote system, this is how I am currently using it, so it seems it does everything that rsh does, and more. So why would I ever use rsh?
Ville M
Please God, you won't. Sadly, telnet raises the same issues -- like your password wandering about in your telnet session in cleartext.
Charlie Martin
true, I knew the issue of security would come up, in fact one of the reason I like the perl expect, is that I can simply change the initial login line from telnet to SSH soon as I have it available and at that point rest of my script should continue to work as it was. So basically you can see no reason for using rsh at this point?
Ville M
I'd say if you have working scripts that you're satisfied with, I wouldn't change them. There are better ways of doing this kind of thing than *either* expect or rsh, but they'd mean reworking your process.
Charlie Martin
Any pointers on what you have in mind as far as "better"?Just for future reference, you are right I won't necessarily change existing stuff but I'd like to know what alternatives are.
Ville M
It really depends on what you're doing, and what environment it is. In Solaris-world we do a lot of jumpstarts and rsyncs.
Charlie Martin
Problem is that it's mixed environment, there is solaris HP-UX and even some linux, so whatever I write needs to work between all platforms. So basically different components of the app such as DB and app-server etc may run on different platforms.
Ville M
+2  A: 

Given a choice between rsh and telnet via expect, I would chose rsh. Expect scripts are fragile. All it takes to break one is someone changing the value of PS1 on the remote machine. Using rsh also prepares you for the day you will finally enter the '90s and start using ssh (since you can mostly just change rcp to scp and rsh to ssh and everything still works).

Chas. Owens
interesting, sort of contrary to what I was concluding in comments to Charlie above. So what about the sudo issue, I need to sudo to different user after login and potentially pass-in password again, can rsh do that?
Ville M
I think you're still confounding what the different things do. rsh will do anything you can do at the command line, so yeah you can send a sudo over the wire. expect can process a dialogue over a telnet as well as locally. I'm not a big perl fan, so I wouldn't lean toward rsh, but even better I'd think of something more robust. That would require knowing more about the task, though.
Charlie Martin
"rsh sudo command" works just fine if sudo is setup correctly. The trick with sudo is to whitelist those commands the user is allowed to run (e.g. "user machine nopasswd start_thing, stop_thing, get_thing_status") rather than giving the user carte blanche access.
Chas. Owens
whoops, that should be "rsh machine sudo command"
Chas. Owens
"if sudo is setup correctly". This is something the root/admin on the box needs to set up, right? These white listed commands is not an account level setup, is it? reason I ask is that in our environment getting admins to change anything is long arduous process.....
Ville M
Yes, setting up sudo is a system administrator task.
Max Lybbert
+4  A: 

Another thing I should add is that after logging in I need to be able to SUDO to a particular user to do most of the actions on the remote hosts.

To address this one particular point: using rsh (or ssh) you can specify which user to become in the remote session:

$ rsh -l username hostname

There's no need to use sudo in this case. Now would definitely be the time to look into ssh due to security issues. The syntax is the same, but ssh also allows a slightly different (and I'd say better) syntax:

$ ssh username@hostname

I found expect to be too finicky, but my experience with it is not substantial.

Jon Ericson
I believe this won't work with expect "rsh -l username hostname" because the acct I need to sudo into can't be used as login account, or is there something I am missing?
Ville M
Sorry, comment above, I met to say won't work with RSH.
Ville M
Ok. It probably won't work. But in that case, I'd say using sudo is probably an end-around an established security policy. Yet another reason to look at ssh.
Jon Ericson
+1  A: 

I can see multiple ways of doing this:

  • Expect over telnet, rsh, or ssh
    • pros: single connection, fewer escaping issues
    • cons: fragility in a changing environment
  • rsh/ssh each command individually
    • pros: fewer escaping issues, more reliable in a changing environment
    • cons: each connection takes time for authentication, and, for ssh, handshaking the encryption
  • rsh/ssh all commands at once
    • pros: single connection (less overhead), more reliable than expect
    • cons: fragility in maintenance especially as you get more than a handful of statements in there, escaping issues are more prevalent (escape in perl so that it's still escaped by rsh/ssh so that it's still escaped by the remote shell so that it's properly handled by the sudo'd remote shell?)
  • rsh/ssh and run a script
    • pros: single connection, more reliable, more maintainable
    • cons: finding a way to get it over there (rcp/scp work, NFS works, you need to determine the best way for you).

All things considered, this is the most minor con as you could simply do something like

 open my $fh, "|ssh user@host 'cat > /tmp/myscript'";
 print $fh $script;
 system qw(ssh user@host), "chmod u+x /tmp/myscript; /tmp/myscript; rm /tmp/myscript";

Of course, you'd add in some error handling (failed open, what if /tmp/myscript exists, etc.), but that's the idea.

Tanktalus
This is a great answer, +1 for that. Only disadvantage compared to expect with the approach you highlight in the end is that it will take not take care of things that prompt for something on the destination host, ofcourse the script could include those parts in a local expect script, but that means that every destination has to have expect installed(or expect.pm). Did I understand your approach correctly?
Ville M