ssh-cron - cron-like daemon able to use ssh-connections
SYNOPSIS
ssh-cron [OPTIONS] [crontab-file]
[OPTIONS] - cf. section OPTIONS
[crontab-file] - file containing jobs to run.
DESCRIPTION
Consider the situation where a computer every now and then must access a
remote computer to do some useful things at that remote computer (like running
a stealth(1) file integrity scan). In order to do so the computer must be
allowed to make ssh(1) connections to the remote computer. But since the
commands are not executed by the user but by cron(1), the ssh-keys which
are required to access the remote computer cannot use passphrases.
This is an undesirable situation: if the computer running the ssh commands
gets compromised, then the remote computers are compromised as well, since the
attacker may access these remote systems using ssh keys not requiring pass
phrases.
Ssh-Cron offers a way out of this undesirable situation, while still allowing
commands to be executed on remote computers. Here's how this is realized:
Normally, ssh-cron runs as a daemon program. When ssh-cron starts it first
reads and parses a crontab-like specification file. Following this,
ssh-cron spawns a child process, and terminates.
Ssh-Cron's daemon process itself spawns an ssh-agent(1) child
process, executing all scheduled commands.
In addition, ssh-cron's daemon defines communcation channels between
itself and its ssh-agent(1) child process;
Ssh-Cron's daemon sends the command ssh-add(1) to its child process as
its first command to execute, and using normal user-interaction means
(e.g., using ssh-askpass(1)) ssh-agent is provided with the
required passphrase(s) for the ssh key(s).
Ssh-Cron's daemon now monitors the time, firing off scheduled commands at
their required moments in time. If these commands require access to
remote computers, then this access is granted, as ssh-agent is able
to provide the passphrase(s).
If an ssh-cron daemon process is already running, then the --reload
option (see below), can be used to load the ssh-cron daemon with the
commands and environment variable settings from another
crontab-file, replacing the currently stored commands and
environment settings by the ones provided in the reloaded file.
When shell control characters (like redirection symbols) must be used in
command specifications, they should be escaped. E.g., as in echo hello
world \> /dev/null.
Users sharing a computer each define their own ssh-cron specification file. When a
user logs out and leaves the
system the daemon process continues to run, executing its scheduled commands
at their scheduled times, using ssh-keys whenever required.
If the accounts for which ssh-cron jobs are running are ever compromised,
the remote computers remain safe, as the passphrases of the available
ssh-keys remain unavailable.
To prevent unauthorized modifications of the commands scheduled by the ssh-cron
daemon themselves a passphrase is required when starting ssh-cron's daemon
process. The passphrase itself is not stored by the daemon (instead, it
stores a sha256(1) hash value), which avoids access to the ssh-cron daemon's
passphrase by browsing the computer's memory. The passphrase may be empty,
but even then that empty passphrase must be provided when reloading ssh-cron
daemon's scheduled commands. The scheduled commands may be listed,
however. This is allowed without providing a passphrase since the file
containing the scheduled commands will usually also be available on the
computer. Likewise, since a user may always terminate his/her own programs an
ssh-cron daemon process can be terminated from another ssh-cron program using the
--terminate command line option.
The above-mentioned facilities are not supported by crontab(1) itself.
Cron(1), which is responsible for executing scheduled crontab commands,
has no access to the passphrases of ssh-keys (which are otherwise provided
ssh-agent).
RETURN VALUE
Ssh-Cron returns 0 if the daemon was successfully started. Otherwise 1 is
returned.
OPTIONS
Where available, single letter options are listed between parentheses
following their associated long-option variants. Single letter options require
arguments if their associated long options also require arguments.
Several options have default values. Run ssh-cron --help for an overview
of the implemented default option values. Also, several options can be
specified in a configuration file (where this doesn't hold true, it is
explicitly mentioned at the relevant options).
The configuration file (not to be confused with the file containing the
scheduled commands, which is provided as ssh-cron command-line file argument)
ignores empty lines and all information on lines starting at a hash-mark
(#, optionally preceded by blanks and/or tabs). The configuration file is
used to specify ssh-cron's options using their long variants. However, in the
configuration file the initial hyphens of command-line options must be
omitted, and optionally a colon may be appended to these long options
names. Note that multi-word option arguments should not be surrounded by
quotes. Examples:
--agent=agent
absolute path to the agent program (plus its argument(s)) providing the
ssh-keys.
By default /usr/bin/ssh-agent /bin/bash is used.
--config=path (-c)
config file containing long option specifications.
By default ~/.ssh-cron is used.
This option cannot be specified in the configuration file.
--forced (-f)
When restarting ssh-cron and an existing (leftover) ipc-file file
exists, then the user is interactively given the opportunity to remove
the existing ipc-file during daemon-startup.
--help (-h)
basic usage information is written to the standard output
stream (only interpreted in combination with --no-daemon).
This option cannot be specified in the configuration file.
--ipc-file=path (-p)
when ssh-cron runs as a daemon, then path specifies the path of the file
holding the daemon's shared memory ID and process ID. The ipc file
must be available if ssh-cron is connecting to or starting a daemon process
(the former situation occurs with the options --list, --reload,
and --terminate). If ssh-cron detects an existing ipc-file at
daemon startup and the option --forced was not specified, then the
user is interactively given the opportunity to remove the existing
file. If the existing ipc-file can or should not be removed, then the
daemon is not started. To end a daemon process use ssh-cron
--terminate, or send a SIGINT (ctrl-C) or SIGTERM signal to the
process-id found as the second value in the ipc-file.
By default ~/.ssh-cron.ipc is used.
--list (-l)
list the currently defined environment settings and cron-commands (the
crontab-file argument must be omitted). This option is
incompatible with (--no-daemon, --reload,) and --terminate.
This option cannot be specified in the configuration file.
--log=path (-L)
log messages are appended to path. If path does not exist, it
is created first.
--mailer=command (-m)
information written to the standard output or standard error streams of
the commands executed by ssh-cron is sent by e-mail to the current
user. Use --mailer to redefine (or to suppress sending e-mail by
specifying an empty mailer command (i.e., --mailer "")).
By default /usr/bin/mail -s \"Ssh-cron $*\" $USER@localhost is
used, with $* replaced by the exected command as specified in the
crontab file argument.
--no-daemon ssh-cron is not run as a daemon. To properly end ssh-cron if not running as a
daemon, press the `Enter' key, enter ctrl-C or send ssh-cron a
SIGTERM signal. This option is incompatible with ( --list,
--reload,) and --terminate.
This option cannot be specified in the configuration file.
--reload (-r)
reload the ssh-cron daemon with de cron-commands defined in the
crontab-file argument (which must be provided). This option is
incompatible with (--list, --no-daemon,) and --terminate.
This option cannot be specified in the configuration file.
--stdout (-s)
in addition to using a log file and syslog messages send all messages
to the standard output. This option is not available if ssh-cron runs as a
daemon process.
This option cannot be specified in the configuration file.
--syslog
messages are sent to the syslog daemon when this option is specified.
By default syslog messages are written to the DAEMON facility with
priority NOTICE.
--syslog-facility=facility
the facility that is used to write the syslog messages to. By default
this is DAEMON. For an overview of facilities and their meanings,
see, e.g., syslog(3). With ssh-cron the facilities DAEMON,
LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7, and
USER can be used.
By default facility DAEMON is used.
--syslog-priority=priority
the priority that is used to write the syslog messages to. By default
this is NOTICE. For an overview of priorities and their meanings,
see, e.g., syslog(3). With ssh-cron all defined priorities can
be used. E.g., EMERG, ALERT, CRIT, ERR, WARNING, NOTICE, INFO and
DEBUG.
By default priority NOTICE is used.
--syslog-tag=tag
syslog messages can be provided with a tag, which can be used to
filter them from the log-files. See also section RSYSLOG
FILTERING below.
By default the tag SSH-CRON is used.
--terminate (-t)
terminate a running ssh-cron daemon program, using the daemon's process ID
found in the ipc-file's second value. The crontab-file argument
must be omitted. This option is incompatible tt with (--list,
--nodaemon,) and --reload
.
This option cannot be specified in the configuration file.
--verbose
additional messages about ssh-cron's mode of operation are sent to
ssh-cron's log facilities (specified by --log, --syslog, and/or
--stdout).
--version (-v) ssh-cron's version number is written to the standard output stream.
This option cannot be specified in the configuration file.
RSYSLOG FILTERING
When using rsyslogd(1) property based filters may be used to filter
syslog messages and write them to a file of your choice. E.g., to filter
messages starting with the syslog message tag (e.g., SSH-CRON) use
Note that the colon is part of the tag, but is not specified with the
syslog-tag option.
This causes all messages having the SSH-CRON: tag to be written on
/var/log/ssh-cron.log after which they are discarded. More extensive
filtering is also supported, see, e.g.,
http://www.rsyslog.com/doc/rsyslog_conf_filter.html and
http://www.rsyslog.com/doc/property_replacer.html
This is free software, distributed under the terms of the `GNU General
Public License'. Copyright remains with the author. ssh-cron is available at
https://fbb-git.github.io/ssh-cron/.
ORGANIZATION
Center for Information Technology, University of Groningen.