SiteScope User's Guide

Using an External SSH Client

SiteScope provides the capability of connecting to remotes using and external SSH client. On NT this client, plink.exe, is shipped with SiteScope. On UNIX and Linux SiteScope can use a standard SSH client such as SunSSH or OpenSSH. Documentation on using the integrated Java client can be found at Java SSH Client. There are a number of possibilities and issues involved in using SSH for SiteScope Monitoring.

• Working with External SSH Clients
• Monitoring with SSH on Windows NT/2000
• Testing SSH connectivity with PuTTY utilities
• Setting up SSH2 on SiteScope for Windows NT/2000

Working with External SSH Clients

As noted previously, there are two different versions of the SSH protocol: version 1 and version 2. While they are both considered to be Secure Shell protocols, version 1 and version 2 are considered to be two different protocols and are not compatible with each other. Some security vulnerabilities have been found in SSH1. This resulted in several changes in SSH2 which is being considered the current standard. Most SSH software will support both protocols. However, to ensure that a request for a SSH connection uses SSH2 instead of SSH1, it is necessary to configure SSH clients and SSH hosts to use the same protocol version between them in order to communicate. In many cases, SSH version 1 (SSH1) is the default version used for connections as it is considered the lowest common denominator between a SSH client and a SSH host.

There are two ways to force SSH2 connections. These are:

1. Configure all SSH daemons or servers to accept only SSH2 connection requests
2. Configure the SSH client on the SiteScope server to only make SSH2 requests

The first option is perhaps the most secure but may be the most time consuming unless each server was configured for this option when it was installed and activated. The second option only requires changes to the client on the SiteScope server. For external SSH client, this is usually controlled via the client settings. For more details on how to set the SiteScope PuTTY client to use SSH2 see the section Setting up SSH2 on SiteScope for Windows NT/2000 below.

Another part of SSH security is authentication. The integrated SSH client for SiteScope can be configured to use one of two authentication options. These are:

• Password Authentication
• Key Based Authentication

Password Authentication is the default method for SSH connections in SiteScope. Key Based Authentication adds an additional level of security through the use of a passphrase and a public-private key authentication. See the following section for information on how to set up key based authentication for SSH connections.

Index

Monitoring with SSH on Windows NT/2000

SiteScope for Windows NT/2000 includes a SSH client to handle connections to remote SSH-enabled servers. SiteScope includes the PuTTY SSH utilities for SSH connectivity to both UNIX and Windows NT/2000 servers. These utilities are found in the <SiteScope install path>/SiteScope/tools directory. By default, SiteScope SSH connections will use the SSH1 protocol (less secure) unless the server it is connecting to only accepts SSH2 sessions. To force SiteScope use the SSH2 protocol (more secure), you will need to configure the SSH client on the machine where SiteScope is running and possibly the SSH daemons/hosts on the remote servers to communicate using the SSH2 protocol. For SiteScope on Windows NT/2000, configure the PuTTY SSH client utility and SiteScope as described below in the Setting up SSH2 on SiteScope for Windows NT/2000

More information about the PuTTY SSH client can be found at http://www.chiark.greenend.org.uk/~sgtatham/putty/ or http://www.openssh.org/windows.html.

Instructions for creating Public Keys using the PuTTYGen tool and using them are at http://www.tartarus.org/~owen/putty-docs/Chapter8.html.

NOTE: SSH uses DES, BLOWFISH, RSA or other public key cryptography for both connection and authentication. Public Keys are stored on a per-user basis so if you are using key-based logins instead of password-based logins you should login and run the PuTTYGen tool using the same account as will be used by the SiteScope service.

Testing SSH connectivity with PuTTY utilities

It is recommended that you test SSH connectivity from SiteScope on Windows to remote hosts using either the PuTTY.exe or plink.exe tools provided with SiteScope. This is also useful for troubleshooting connectivity. You can use utilities to test connectivity with a SSH host. The plink utility is run from the command line. The following are steps to test connectivity with plink:

1. Log on to your Windows machine as the user who runs the SiteScope service.
2. Open a command windows to the <SiteScope install path>\SiteScope\tools directory.
3. Run plink with the syntax as follows:

   plink -ssh remoteuser@hostname

   where remoteuser is the login username for a valid user account on the hostname server.
4. Follow the prompts in the terminal window to confirm that the remote login is successful. Logout of the terminal session when you are satisfied that the connection is working correctly.

If you want to use the SSH2 protocol for connections, you will need to use the PuTTY utility to configure the PuTTY client to use SSH2 instead of the default SSH1. This requires that you save session settings as described in the section Setting up SSH2 on SiteScope for Windows NT/2000 below. Once you have done this you can also use PuTTY to test SSH connectivity. The following are the steps for testing connectivity using PuTTY:

1. Log on to your Windows machine as the user who runs the SiteScope service.
2. Launch the PuTTY utility.
3. From the Session tab or tree, select the Saved Session name of the remote connection you want to test and click the Load button to the right of the selection box.
4. Click the Open button near the bottom of the dialogue box. This will launch a terminal emulation window.
5. Follow the prompts in the terminal window to confirm that the remote login is successful. Logout of the terminal session when you are satisfied that the connection is working correctly.

Index

Setting up SSH2 on SiteScope for Windows NT/2000

SiteScope for the Windows platform uses plink, part of the PuTTY suite of SSH tools, to create its SSH connections for remote monitoring. By default, plink utility will use the SSH1 Protocol if the server it is trying to connect to allows SSH1 connections. The SiteScope SSH client can be configured to use only the SSH2 protocol for connections. Making the change on the SiteScope machine may be easier than having to reconfigure a large number of remote SSH servers.

Setting up SiteScope for Windows NT/2000 to use only SSH2 to communicate with remote UNIX or remote NT/2000 servers requires two actions:

1. Create settings in the SSH client on the SiteScope server to use only SSH2
2. Modify SiteScope remote server connection profiles to use the SSH2 connection profile.

The following two sections describe the steps you use to force SiteScope to use SSH2 for connecting to remote servers.

Use the following to steps to setup the PuTTY client on the SiteScope server to only use SSH2 by using the PuTTY utility suite.

To set up PuTTY to use SSH2:

1. Log on to the server where SiteScope is running as the user who runs the SiteScope service. To see which user this is, open your Services control panel, right-click the SiteScope service, select "Properties", and click the "Log On" tab.
2. Find the PuTTY.exe tool in the <SiteScope install path>\SiteScope\tools directory. Alternately, you can download PuTTY from http://www.openssh.org/windows.html or http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html.
3. Launch the PuTTY utility by double-clicking the icon in the Windows Explorer (or typing putty in a command window with a path to the <SiteScope install path>\SiteScope\tools directory). No installation steps are needed. The Putty Configuration console opens.
4. With the Session tab or tree selected, enter the hostname or IP address of the remote machine to be monitored in the Host Name box. Select the SSH radio button underneath the hostname in the Protocol section.
5. Select the Connection tab or tree, and enter the username on the remote machine in the Auto-login username box. This should be a user account with permissions to monitor processes and hardware statistics on the remote server. Optionally, this user account might also have execution privileges to allow SiteScope to run scripts on the remote server.
6. Select the SSH tab or tree under the Connection tree, and then choose the 2 radio button in the Preferred SSH Protocol Version section.
7. Return to the Session tab again. In the Saved Sessions text box, enter a name for these settings. Any previously saved settings appear in the list box below.

   Note: The Saved Session name should not be a resolvable hostname on your network, nor can it contain a white space character. For instance, if these settings are for a machine named "myhost.mydomain.com", the session settings name cannot be "myhost", "myhost.mydomain.com", or "myhost settings" (the latter is not allowed because of the white space between the words). You might want to choose a name like "myhost-settings".

8. Click the Save button. The name of your new settings should appear in the list of saved settings.

You will need to repeat this process to create settings for each remote machine you wish to monitor with SiteScope using SSH2.

Note: Be sure to make a note of the Saved Session name for each machine that you configure. You will need to enter this name into the SiteScope configuration file.

SiteScope Setup for SSH2:

Use the following steps to configure SiteScope to use SSH2 for connecting to remote UNIX or remote NT/2000 servers.

1. Open SiteScope in a Web browser. Click the Preferences link.
2. To setup SSH2 for a remote UNIX connection, click the UNIX Remotes link. To setup SSH2 for a remote NT/2000 connection, click the NT Remotes link. The corresponding Remote Servers page is displayed.
3. Click the Add a Remote Machine link below the Remote Servers table. The Add Remote Server page is displayed.
4. In the Server Address box, enter the name of the settings you saved. For example, to use the settings for myhost.mydomain.com that were created above, you would enter "myhost-settings" in the Server Address box.
5. Select the applicable operating system of the target remote server in the OS drop-down list.
6. Leave the Login box blank.
7. Enter the password to log into the remote machine in the Password box.
8. For UNIX Remotes: If the shell prompt for the remote UNIX server is something other than #, enter that prompt in the Prompt section.
9. For UNIX Remotes: Leave the Login Prompt and Password Prompt boxes blank.
10. Click the Add Only option. It is not necessary for SiteScope to test the connection at this point.
11. Click the Add button to add the remote server profile.

    Note: The remote connection test will FAIL. If you selected the Add and Test option when adding the remote profile, you may see a message similar to the following error message:
    

    Connecting to myhost-settings...
    Waiting for prompt(#)...
    Unable to open connection:
    Host does not exist
    
    Remote command error: unknown host name (-997)
    

12. Go to your <SiteScope install path>\SiteScope\groups directory and make a backup copy of the file called master.config. Rename the backup file to be master.config.SAV.
13. Open the file master.config file in a text editor, and locate the section of entries or lines beginning with the string _remoteMachine. If you have configured multiple remote server connections, there will be multiple entries that begin with this string. Locate the line that includes the string _host=myhost-settings, where myhost-settings is the name of the host settings you entered in the Server Address box in PuTTY Configuration tool.
14. Add the following string to the end of that line

    Note: This string must be entered on the same line. Do not add any carriage returns, new lines, or extra spaces.

    _sshCommand=<SiteScope install path>\tools\plink.exe_-ssh_$host$_-pw_$password$

    Replace <SiteScope install path> with the path to your SiteScope installation. For example, if SiteScope is installed at C:\SiteScope, the string would read:

    _sshCommand=C:\SiteScope\tools\plink.exe_-ssh_$host$_-pw_$password$

    The entire line, once you have finished modifications, should look similar to the following example.

    Note: This example wraps across multiple lines to fit on this page. When entering this setting into the SiteScope configuration file, be sure that it is entered all a single line

    _remoteMachine=_os=Linux _id=11 _trace= _method=ssh _password=(0x)MGJJKDKLKJNINPNJMJ _login= _host=myhost-settings _name= _sshCommand=C:\SiteScope\tools\plink.exe_-ssh_$host$_-pw_$password$

15. Repeat this step to modify each _remoteMachine entry, using the applicable host name setting created for each host using the PuTTY Configuration tool in the previous section.
16. Save and close the master.config file.
17. Stop and restart the SiteScope service to force SiteScope to reload the manual changes you made to the master.config file.
18. Open a Web browser to the SiteScope server.
19. Click the Preferences link. The General Preferences page is displayed.
20. If you are setting up SSH2 for remote UNIX connections, click the UNIX Remotes link. For SSH2 for remote NT/2000 connections, click the NT Remotes link. The corresponding Remote Servers page is displayed.
21. For UNIX remotes, click the Detailed Test link in the Remote Servers Table for the UNIX Remote you configured to test the connection and verify that it works. For NT/2000 remotes, click the Test link in the Remote NT Servers Table for the NT Remote you configured to test the connection and verify that it works.

    Note: This test normally will take a few seconds to complete.

Index

Copyright © 2004 Mercury Interactive Corporation.
All rights reserved.

Documentation comments or suggestions?
Please send feedback to documentation@merc-int.com