ssh-cron - Online in the Cloud

This is the command ssh-cron that can be run in the OnWorks free hosting provider using one of our multiple free online workstations such as Ubuntu Online, Fedora Online, Windows online emulator or MAC OS online emulator

PROGRAM:

NAME


ssh-cron - cron-like daemon able to use ssh-connections

SYNOPSIS


ssh-cron [OPTIONS] [crontab-file]
[OPTIONS] - cf. section OPTIONS
[crontab-file] - file containing jobs to run.

DESCRIPTION


Consider the situation where a computer every now and then must access a remote computer
to do some useful things at that remote computer (like running a stealth(1) file integrity
scan). In order to do so the computer must be allowed to make ssh(1) connections to the
remote computer. But since the commands are not executed by the user but by cron(1), the
ssh-keys which are required to access the remote computer cannot use passphrases.

This is an undesirable situation: if the computer running the ssh commands gets
compromised, then the remote computers are compromised as well, since the attacker may
access these remote systems using ssh keys not requiring pass phrases.

Ssh-Cron offers a way out of this undesirable situation, while still allowing commands to
be executed on remote computers. Here’s how this is realized:

o Normally, ssh-cron runs as a daemon program. When ssh-cron starts it first reads
and parses a crontab-like specification file. Following this, ssh-cron spawns a
child process, and terminates.

o Ssh-Cron’s daemon process itself spawns an ssh-agent(1) child process, executing
all scheduled commands.

o In addition, ssh-cron’s daemon defines communcation channels between itself and its
ssh-agent(1) child process;

o Ssh-Cron’s daemon sends the command ssh-add(1) to its child process as its first
command to execute, and using normal user-interaction means (e.g., using
ssh-askpass(1)) ssh-agent is provided with the required passphrase(s) for the ssh
key(s).

o Ssh-Cron’s daemon now monitors the time, firing off scheduled commands at their
required moments in time. If these commands require access to remote computers,
then this access is granted, as ssh-agent is able to provide the passphrase(s).

o If an ssh-cron daemon process is already running, then the --reload option (see
below), can be used to load the ssh-cron daemon with the commands and environment
variable settings from another crontab-file, replacing the currently stored
commands and environment settings by the ones provided in the reloaded file.

When shell control characters (like redirection symbols) must be used in command
specifications, they should be escaped. E.g., as in echo hello world \> /dev/null.

Users sharing a computer each define their own ssh-cron specification file. When a user
logs out and leaves the system the daemon process continues to run, executing its
scheduled commands at their scheduled times, using ssh-keys whenever required.

If the accounts for which ssh-cron jobs are running are ever compromised, the remote
computers remain safe, as the passphrases of the available ssh-keys remain unavailable.

To prevent unauthorized modifications of the commands scheduled by the ssh-cron daemon
themselves a passphrase is required when starting ssh-cron’s daemon process. The
passphrase itself is not stored by the daemon (instead, it stores a sha256(1) hash value),
which avoids access to the ssh-cron daemon’s passphrase by browsing the computer’s memory.
The passphrase may be empty, but even then that empty passphrase must be provided when
reloading ssh-cron daemon’s scheduled commands. The scheduled commands may be listed,
however. This is allowed without providing a passphrase since the file containing the
scheduled commands will usually also be available on the computer. Likewise, since a user
may always terminate his/her own programs an ssh-cron daemon process can be terminated
from another ssh-cron program using the --terminate command line option.

The above-mentioned facilities are not supported by crontab(1) itself. Cron(1), which is
responsible for executing scheduled crontab commands, has no access to the passphrases of
ssh-keys (which are otherwise provided ssh-agent).

RETURN VALUE


Ssh-Cron returns 0 if the daemon was successfully started. Otherwise 1 is returned.

OPTIONS


Where available, single letter options are listed between parentheses following their
associated long-option variants. Single letter options require arguments if their
associated long options also require arguments.

Several options have default values. Run ssh-cron --help for an overview of the
implemented default option values. Also, several options can be specified in a
configuration file (where this doesn’t hold true, it is explicitly mentioned at the
relevant options).

The configuration file (not to be confused with the file containing the scheduled
commands, which is provided as ssh-cron command-line file argument) ignores empty lines
and all information on lines starting at a hash-mark (#, optionally preceded by blanks
and/or tabs). The configuration file is used to specify ssh-cron’s options using their
long variants. However, in the configuration file the initial hyphens of command-line
options must be omitted, and optionally a colon may be appended to these long options
names. Note that multi-word option arguments should not be surrounded by quotes. Examples:

stdout
syslog-facility: LOCAL0
mailer: /usr/bin/mail -s "some subject" me@myhost.warpnet.nl

Command-line options always override configuration file options.

o --agent=agent
absolute path to the agent program (plus its argument(s)) providing the ssh-keys.

By default /usr/bin/ssh-agent /bin/bash is used.

o --config=path (-c)
config file containing long option specifications.

By default ~/.ssh-cron is used.

This option cannot be specified in the configuration file.

o --forced (-f)
When restarting ssh-cron and an existing (leftover) ipc-file file exists, then the
user is interactively given the opportunity to remove the existing ipc-file during
daemon-startup.

o --help (-h)
basic usage information is written to the standard output stream (only interpreted
in combination with --no-daemon).

This option cannot be specified in the configuration file.

o --ipc-file=path (-p)
when ssh-cron runs as a daemon, then path specifies the path of the file holding
the daemon’s shared memory ID and process ID. The ipc file must be available if
ssh-cron is connecting to or starting a daemon process (the former situation occurs
with the options --list, --reload, and --terminate). If ssh-cron detects an
existing ipc-file at daemon startup and the option --forced was not specified, then
the user is interactively given the opportunity to remove the existing file. If the
existing ipc-file can or should not be removed, then the daemon is not started. To
end a daemon process use ssh-cron --terminate, or send a SIGINT (ctrl-C) or SIGTERM
signal to the process-id found as the second value in the ipc-file.

By default ~/.ssh-cron.ipc is used.

o --list (-l)
list the currently defined environment settings and cron-commands (the crontab-file
argument must be omitted). This option is incompatible with (--no-daemon,
--reload,) and --terminate.

This option cannot be specified in the configuration file.

o --log=path (-L)
log messages are appended to path. If path does not exist, it is created first.

o --mailer=command (-m)
information written to the standard output or standard error streams of the
commands executed by ssh-cron is sent by e-mail to the current user. Use --mailer
to redefine (or to suppress sending e-mail by specifying an empty mailer command
(i.e., --mailer "")).

By default /usr/bin/mail -s \"Ssh-cron $*\" $USER@localhost is used, with $*
replaced by the exected command as specified in the crontab file argument.

o --no-daemon
ssh-cron is not run as a daemon. To properly end ssh-cron if not running as a
daemon, press the `Enter’ key, enter ctrl-C or send ssh-cron a SIGTERM signal. This
option is incompatible with ( --list, --reload,) and --terminate.

This option cannot be specified in the configuration file.

o --reload (-r)
reload the ssh-cron daemon with de cron-commands defined in the crontab-file
argument (which must be provided). This option is incompatible with (--list,
--no-daemon,) and --terminate.

This option cannot be specified in the configuration file.

o --stdout (-s)
in addition to using a log file and syslog messages send all messages to the
standard output. This option is not available if ssh-cron runs as a daemon process.

This option cannot be specified in the configuration file.

o --syslog
messages are sent to the syslog daemon when this option is specified. By default
syslog messages are written to the DAEMON facility with priority NOTICE.

o --syslog-facility=facility
the facility that is used to write the syslog messages to. By default this is
DAEMON. For an overview of facilities and their meanings, see, e.g., syslog(3).
With ssh-cron the facilities DAEMON, LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4,
LOCAL5, LOCAL6, LOCAL7, and USER can be used.

By default facility DAEMON is used.

o --syslog-priority=priority
the priority that is used to write the syslog messages to. By default this is
NOTICE. For an overview of priorities and their meanings, see, e.g., syslog(3).
With ssh-cron all defined priorities can be used. E.g., EMERG, ALERT, CRIT, ERR,
WARNING, NOTICE, INFO and DEBUG.

By default priority NOTICE is used.

o --syslog-tag=tag
syslog messages can be provided with a tag, which can be used to filter them from
the log-files. See also section RSYSLOG FILTERING below.

By default the tag SSH-CRON is used.

o --terminate (-t)
terminate a running ssh-cron daemon program, using the daemon’s process ID found in
the ipc-file’s second value. The crontab-file argument must be omitted. This option
is incompatible tt with (--list, --nodaemon,) and --reload . This option cannot be
specified in the configuration file.

o --verbose
additional messages about ssh-cron’s mode of operation are sent to ssh-cron’s log
facilities (specified by --log, --syslog, and/or --stdout).

o --version (-v)
ssh-cron’s version number is written to the standard output stream.

This option cannot be specified in the configuration file.

RSYSLOG FILTERING


When using rsyslogd(1) property based filters may be used to filter syslog messages and
write them to a file of your choice. E.g., to filter messages starting with the syslog
message tag (e.g., SSH-CRON) use

:syslogtag, isequal, "SSH-CRON:" /var/log/ssh-cron.log
:syslogtag, isequal, "SSH-CRON:" stop

Note that the colon is part of the tag, but is not specified with the syslog-tag option.

This causes all messages having the SSH-CRON: tag to be written on /var/log/ssh-cron.log
after which they are discarded. More extensive filtering is also supported, see, e.g.,
http://www.rsyslog.com/doc/rsyslog_conf_filter.html and
http://www.rsyslog.com/doc/property_replacer.html

Use ssh-cron online using onworks.net services



Latest Linux & Windows online programs