As most system administrators with many machines in their herd, I am in need of a way of mass maintaining my systems. There are ofcourse quite a bit off tools for this job already available. Most are aimed at fancy enterprise setup where money is no problem, or large clusters where all your machines are the same. They usually also require a pre-installed client on the machine.
I don’t like daemons running on my server. If I had my way I’d turn everything on the servers off. Every port open, is an extra door that needs to be secured and can contain holes.
For the public services I don’t have much choice, my boss wants to provide certain things to certain people. So those I can’t close.
On the administrative side I’ve got more control. Most of my servers now have 2 ‘backdoors’ SSH and Munin, both are secured. Still, I’d rather have 1 ‘backdoor’, certainly not 3.
Munin doesn’t allow you to control anything on the machine, only read. which is fine. None of the tools seem to provide a way to read munin data, so those are out of the question. I used to use SSH + RSA-keys, this gave way too much power to 1 machine in my network though.
So I came up with a simple solution. I haven’t found anything only that does this, but I haven’t looked very hard either.
A very limited shell, a configuration file defines what you can do (can be updated remotely, when given a password). Runs as a simple user, powers can be extended with sudo if desired. This still requires deployment ofcourse, but I like it’s simplicity.
The script can be downloaded from here: http://u2m.nl/software/perl/mcp-client. It’s written in Perl and only depends on Digest::MD5, which is delivered by default in perl 5.8 and later.
Comments & Sugestions welcome ofcourse.