SiteScope User's Guide

SiteScope Monitoring via Secure Shell (SSH)

As network security is increasingly important, SiteScope supports a number of security capabilities. One of these is support for remote server monitoring using Secure Shell (SSH) connections. You can use SSH to connect to a server and automatically send a command, so that the server will run that command and then disconnect. This is useful for creating automated processing and scripting.

Secure Shell (SSH), sometimes known as Secure Socket Shell, is a UNIX-based command interface and protocol for securely getting access to a remote computer. It is widely used by network administrators to control Web and other kinds of servers remotely. SSH commands are encrypted and secure in several ways. Both ends of the client/server connection are authenticated using a digital certificate, and passwords are protected by encryption.

There are a number of possibilities and issues involved in using SSH for SiteScope Monitoring. This section describes:

SiteScope and SSH

As noted above, SSH uses a client-server architecture. Secure Shell client machines make requests of SSH daemons or servers on remote machines. Monitoring with SSH has two basic requirements:

  1. The servers that you want to have monitored by SiteScope using SSH need to have a SSH daemon (or server) installed and active
  2. The machine where SiteScope is running needs to be configured with a SSH client.

With the 7.8.1.1 release of SiteScope, there are two SSH client options for use on the server or machine where SiteScope is running. SiteScope now includes a SSH client written in Java and native to the SiteScope application code. This client eases the setup of SSH connections and generally uses fewer system resources than external SSH clients.

SiteScope for Windows NT/2000 also ships with a copy of the PuTTY SSH client and utilities. The PuTTY SSH client, plink.exe, can be used to enable SSH connectivity for SiteScope for Windows NT/2000. SiteScope for Solaris and Redhat Linux make use of the SSH utilities normally bundled with those operating systems or available for download.

The following table outlines the SSH connectivity options currently supported with SiteScope. See the notes below the table for important information about configuring and managing SSH connectivity.

SiteScope Platform and Client Options

Monitored Server Platform and Daemon
Windows PuTTY SSH client (included with SiteScope) or

UNIX / Linux

SSH host daemon (sshd - either proprietary or OpenSSH)

Integrated Java SSH Client (included with SiteScope)
UNIX / Linux SSH client (/usr/local/bin/ssh or usr/bin/ssh ) or

UNIX / Linux

SSH host daemon (sshd - either SunSSH, proprietary or OpenSSH)

Integrated Java SSH Client (included with SiteScope)
Windows PuTTY SSH client (included with SiteScope) or

Windows

  1. SSH server (cygwin OpenSSH)
  2. RemoteNTSSH.zip package (included with SiteScope, to be installed into the appropriate directory on the remote server)
Integrated Java SSH Client (included with SiteScope)

The following are important notes regarding the use of SSH in general and specific to using SSH and SiteScope.

Notes:

  1. There are two different versions of the SSH protocol: version 1 and version 2. Version 1 and version 2 are different protocols and are not compatible with each other. This means that the SSH clients and SSH hosts must be configured to use the same protocol version between them in order to communicate. In many cases, SSH version 1 (SSH1) is the default version used. Some security vulnerabilities have been found in SSH version 1. Also, the SSH1 protocol is not being developed anymore and SSH2 is being considered the current standard. We recommend using SSH version 2 (SSH2) for all SSH connections.
  2. The release version number of the SSH utilities and libraries you have installed must not be confused with the version of the SSH protocol that you want to be using. For example, OpenSSH release 3.5 supports both SSH1 and SSH2 protocols. The release version 3.5 does not mean that the libraries are using a SSH version 3.5 protocol. You must configure the OpenSSH software to use either SSH1 or SSH2.
  3. If you have set up SiteScope remote monitoring using SSH connections and then you make configuration changes or upgrades to the SSH daemon or server software deployed on remote servers in the environment, it may be necessary to reconfigure the SSH connectivity between the machine where SiteScope is running and the remote servers that were been monitoring.

Index

Configuring Remote UNIX Servers for SSH Monitoring

SiteScope for Solaris or Linux supports remote monitoring via SSH. Setting up the SSH hosts on the remote servers you want to monitor in the UNIX environment can be very involved and is beyond the scope of this document. Some suggested resources on installation of the OpenSSH daemon are http://www.sunfreeware.com/openssh.html (for Solaris) and http://www.redhat.com/docs/manuals/linux/RHL-7.3-Manual/ref-guide/s1-ssh-configfiles.html for Redhat Linux

The following are requirements for configuring remote UNIX servers for SSH monitoring with SiteScope in a UNIX environment:

  • Secure Shell daemons or servers (sshd) must be installed on each remote server you want to monitor with SiteScope. A SSH client must be installed on the server where SiteScope is running.
  • The SSH daemons on the remote servers must be running and the applicable communication ports must be open. For example, the default for SSH is port number 22.
  • When SiteScope invokes the ssh client process, it will search in both /usr/bin and /usr/local/bin for the ssh command. The ssh binaries must be in one of these two locations and SiteScope must have permissions to execute the ssh command.

You should verify SSH client-to-server connectivity from the machine where SiteScope is running to the remote machine you want to monitor. You should check SSH connectivity outside of the SiteScope application before setting up remote server connections using SSH in SiteScope. For example, if SiteScope is running on Solaris or Linux, using the following command line requests a ssh connection using SSH2 to the server remotehost:

ssh -2 remotehost

This normally will return text information that indicates the version of SSH protocol that is being used. Also, this will attempt to authenticate as the current user. Use the -l username switch to request a login as a different user.

For SiteScope running on Windows, see the section on Testing SSH connectivity with PuTTY utilities for information about testing SSH connectivity outside of the SiteScope application on Windows NT/2000 machines.

Once you have confirmed SSH connectivity, create or configure UNIX Remote settings in SiteScope to use SSH as the connection method.

Index

Configuring Remote NT Servers for SSH Monitoring

The default remote connection method used by SiteScope for NT-to-NT connectivity and monitoring in Windows NT/2000 networks is NetBIOS. While this has provided ease of connectivity, it does have several disadvantages. One is that NetBIOS is relatively vulnerable in terms of network security. Another is that it does not support remote execution scripts. Running commands on remote servers requires that scripts be executed locally with commands to the remote machine being written using the UNC syntax of remote servers. Even then, some parameters are not returned from the remote server via NetBIOS.

Starting in version 7.6, SiteScope supports monitoring of remote Windows NT/2000 servers using SSH. This technology has been tested with the OpenSSH binaries from Cygwin available at http://www.cygwin.com/ installed as the SSH server on the remote server.

Note: The Network Simplicity "OpenSSH on Windows" (support is reportedly to be discontinued) and the Cygwin SSH implementations have been shown to be incompatible with each other and should not both be installed on the same machine. If the Network Simplicity OpenSSH has been installed on a server you want to monitor with SiteScope, you should manually uninstall the Network Simplicity software before installing the Cygwin SSH.

Note: If there are more than one version of the Cygwin utilities or more than one SSH server installed on the SiteScope machine, there may be conflicts which prevent the SSH connections from working. An error message such as: "could not find entry point" is one indication of this kind of conflict. If you suspect this error, search the machine for multiple copies of cygwin1.dll. It may be necessary to remove all versions of the utilities and then reinstall only a single installation to resolve this problem.

There are two main steps for configuring remote NT Servers for SSH monitoring with SiteScope:

  1. Installation and Configuration of a SSH Server
  2. Installation of SiteScope SSH Files

1. Installation and Configuration of a SSH Server

In order to enable SiteScope monitoring using SSH, a SSH server must be installed and configured on each remote server you want SiteScope to connect to. There are two software packages generally available that will enable SSH capability. One is the Cygwin environment available from RedHat at http://www.cygwin.com/. Another package is the OpenSSH for Windows available at http://lexa.mckenna.edu/sshwindows/. The following sections describe the installation of OpenSSH servers on remote NT Servers:

Note: The following instructions assume that no other cygwin utilities are installed on the machine and that the machine has Internet access.

To install and configure a Cygwin OpenSSH server on Windows NT/2000 servers

  1. Create a System Environment variable as follows:
    CYGWIN = ntsec tty
    and add ;C:\cygwin\bin to your PATH variable
  2. Download the Cygwin setup program into a temporary folder such as C:\temp
  3. Run the downloaded setup program and choose the Install from Internet option. Select a suitable mirror site from the selection list when prompted.
  4. Select the packages to download by clicking on the plus (+) symbol to expand the directory trees and then clicking on the word Skip to the left of each of the following packages:

    • cygrunsrv from the Admin branch
    • cygwin-doc from the Doc branch
    • openssh from the Net branch
    • your choice of UNIX-style text editor from the Editors branch (for example: vim)

    Then click to download the files as prompted.
  5. Start up a cygwin terminal window and enter the command
    ssh-host-config -y. When presented with the CYGWIN= prompt, enter ntsec tty per the environment variable you set above.
  6. It is recommended that you change permissions and ownership of several cygwin files by typing the following five lines in the cygwin terminal command line (Exact syntax is required, including spaces, press Enter after each line entered):

    cd /; chmod -R og-w .
    chmod og+w /tmp
    touch /var/log/sshd.log
    chown system:system /var/log/sshd.log /var/empty /etc/ssh_h*
    chmod 755 /var/empty

  7. The SiteScope SSH client does not handle cygwin's default bash shell syntax so you need to change the default command environment or shell for the user account you will login to with SiteScope. To do this, create a symbolic link by typing the following in the cygwin terminal window:
    cd /bin
    ln -s /cygdrive/c/winnt/system32/cmd.exe .
  8. Use the UNIX-style text editor and edit the /etc/passwd file. Find the entry for the SiteScope login account you intend to use and change the shell from /bin/bash to /bin/cmd. This will normally be the last entry in the line. Save the changes.

Note: Any time that you run the mkpasswd -l /etc/passwd command (for example, when adding a new user) you will need to edit the /etc/passwd file again to make sure the shell is set to /bin/cmd for the account being used by SiteScope.

To install and configure an OpenSSH for Windows server on Windows NT/2000 servers

Note: The OpenSSH for Windows package is an alternative to the Cygwin SSH package. The Cygwin product may have changed since the documentation was added to SiteScope. There are also cases where some versions of the Cygwin SSH server have not returned the data needed for SiteScope monitoring. The OpenSSH for Windows package can solve this problem and you should use this package in place of the Cygwin package.

  1. Download and install the OpenSSH for Windows package.
  2. Open a command prompt and change to the installation directory (Program Files\OpenSSH is the default).
  3. Change the active directory to the OpenSSH\bin directory.
  4. Run the mkgroup utility to create a group permissions file. For local groups, use the -l switch. For domain groups, use the -d switch.

    Note: For both domain and local, it is best to run the command twice (remember to use >>, not >). If you use both, make sure to edit the file to remove any duplicate entires. Examples of the commands to use are as follows:

    mkgroup -l >> ..\etc\group (local groups)

    mkgroup -d >> ..\etc\group (domain groups)

  5. Run the mkpasswd utility to add authorized users into the passwd file. For local users, use the -l switch. For domain users, use the -d switch.

    Note: For both domain and local, it is best to run the command twice (remember to use >>, not >). If you use both, make sure to edit the file to remove any duplicate entires. Examples of the commands to use are as follows:

    mkpasswd -l -u username >> ..\etc\passwd (for local users)

    mkpasswd -d -u username >> ..\etc\passwd (domain users)

2. Installation of SiteScope SSH Files

SiteScope includes a set of files that must be installed on each remote NT server in order to enable certain commonly used server monitoring. Use the following steps to install a set of files that SiteScope needs to enable certain server level monitoring via SSH on remote NT Servers:

  1. Go to your SiteScope machine and find the file called RemoteNTSSH.zip in the <SiteScope install path>\SiteScope\tools directory. Copy this file to each of the remote Windows NT/2000 servers where you have installed the SSH host software.
  2. Unzip the RemoteNTSSH.zip file on the remote server. Place the contents of the zip file into the \cygwin\home\local_sitescope_username directory.
  3. Start the SSH service on the remote server. For example, to run the cygwin server type
    cygrunsrv -S sshd
    in the cygwin terminal window. The Cygwin SSH server will restart automatically whenever the machine is rebooted.

After you have completed the steps above, it is recommended that you test SSH connectivity from your SiteScope server by using plink.exe or PuTTY.exe as described in the section Testing SSH connectivity with PuTTY utilities. After confirming SSH connectivity between SiteScope and the remote server, you can set up NT Remote configurations as described in the User Guide and select SSH as the connection method.

Index

SiteScope SSH Client Connection Options

Once you have set up SSH servers or daemons on remote servers, you need to configure the SSH client that SiteScope will use to connect to the remote servers. As noted above, SiteScope includes two client options for SSH connectivity. The following presents an overview of the client options. More information about each option is included in the sections indicated.

  1. Configuring SiteScope to use the integrated Java SSH client

    As of version 7.8.1.1, SiteScope includes an integrated SSH client written in Java. This is the recommended option for SSH connectivity. One advantage of using this client option is that it uses fewer system resources than the external clients would use. Also, configuration of this client is simpler in some cases. To configure your remote using an external client see the section on Configuring SSH Using the Integrated Java Client.

  2. Configuring SiteScope to use an external SSH client

    SiteScope on NT ships with an third party SSH client called plink. Plink is one part of a set of SSH tools called known as PuTTY. SiteScope on UNIX and Linux relies on an already installed SSH client. To configure your remote using an external client see the section on Configuring SSH Using an External Client.

Index

image
Copyright © 2004 Mercury Interactive Corporation.
All rights reserved.

Documentation comments or suggestions?
Please send feedback to documentation@merc-int.com