Managing hosts with Network Shell

Executive Summary

The Network Shell is a neat tool to manage multiple hosts from an administration computer. The remote hosts can be running either Unix or NT. Management is achieved by using NSH utilities. The Network Shell requires two packages to be installed: An agent (RSCD Agent, a.k.a. Daemon) which must be installed on the remote hosts that you wish to manage, and a client (NSH Utilities, including the nsh shell) which you use to send commands to remote agents. By default, Agents listen for incoming queries on TCP port 4750. On NT, the NSH Utilities are based on Cygwin.

The RSCD Agent comes in two version: a Light version, with accepts only a sub-set of the commands supported by the NSH Utilities package, and a Full version with access to over 140 utilities.

Configuration files are saved in /usr/lib/rsc (if RSCD is installed as root), or ~/rscd (if installed as a regular user, and ~/rscd is where you chose to install the RSCD package.) In addition, some libraries and binaries are installed, and their location depends on whether the package is installed as root or as a regular user (If the former, /lib, /usr/lib, and /bin are affected; If the latter, files are all installed beneath eg. ~/rscd/).

Here's the kind of thing that you can accomplish from a central host, running the RSCD Daemon (from NetworkShell's web site):

$ /bin/nsh Launching the NSH shell
host $ cp /etc/hosts //host1/etc/hosts
host $ cd //host2/home
host2 $ ps -ef | grep inetd
host2 $ diff //host3/etc/passwd //host4/etc/passwd
host2 $ iostat 2 5
host2 $ vi //nthost/c/AUTOEXEC.BAT
host2 $ nexec nthost reboot Let's reboot NT

Note that as of Aug 2001, Red Hat is the only Linux distribution that is supported by NetworkShell.

NetworkShell also offers NSH Deploy, which is the GUI version of the NSH Utilities that deal with file distribution. As of Aug 2001, NSH Deploy is only available for Sparc Solaris, Red Hat Linux, and Windows NT4/2000. Here's what NSH Deploy looks like on a Unix client (from NetworkShell's web site):

Setup

Agents

Linux

  1. Create a sub-directory for RSCD (eg. /usr/local/rscd), copy the package therein (eg. rscd3.4-redhat7.0.tar.gz), cd to the directory, and untar the package. If you wish to install the Agent as a non-privileged user, replace /usr/local/rscd with ~rscd
  2. Run ./Install (If running as a non-privileged user, either run ./Install and let the shell script detect that you are not root, or spell it with ./Install -local)
  3. When prompted for the activation key, answer either Y to install the Light version, or N to install the Full version (have the 30-day activation key handy)
  4. Edit the exports file (usr/lib/rsc/exports, or ~rscd/export) to define access permissions when connecting to this agent such as:

    myclient.acme.com    rw,validusers=jdoe,user=root

    This allows user jdoe logged on workstation myclient.acme.com running the RSCD Daemon to connect to this host, and work as root.

    - OR -

    *      root=admhost,anon=-1,nosuid,nomknod

    Root access only from the administrators host, do not allow root or unknow users except "admhost", do not allow setting of "set UID/GID" bits, do not allow creation of special fileso, nly allow admin accounts on system.

    Important: The default setting in exports is "*    rw", ie. read/write for all, all commands allowed, and no logging...    
     
  5. Edit the users file (/usr/lib/rsc/users, or ~rscd/users) to override settings in the exports file and a per-user basis
  6. Do I need to do this on both hosts? Use the secadmin utility to edit the secure file (/usr/lib/rscd/secure, or ~rscd/secure), and choose whether data should flow in clear text, or be encrypted with DES, 3-DES, or Blowfish.
  7. Read the following man pages: man/txt1/exports.txt, man/txt1/users.txt, man/txt1/secure.txt, and man/txt1/secadmin.txt

Windows

  1. Run rscd-setup.exe
  2. Enter the activation key
  3. After the RSCD Agent is installed, you can change its settings through Start | Programs | RSCD Agent | Configure RSCD Agent

NSH Utilities

Linux

  1. Untar nsh3.4-redhat7.0.tar.gz in eg. /usr/local/nsh/
  2. Cd to this new directory
  3. If you are root, run ./Install. This script will create symlinks in /lib and /usr/lib to NSH's shared libraries, a symlink in /bin to the NSH shell, and a /usr/lib/rsc sub-directory to store configuration files.

    If you are a non-privileged user, run ./Install -local; You will also need to set two environment variables: NSHDIR should point to the product installation; LD_LIBRARY_PATH must include $NSHDIR/lib.

    You can install either just the NSH Utilities, or both the NSH Utilities and the RSCD Agent (so this host can be managed from another host)
     
  4. Start the NSH shell : If installed as root, "/bin/nsh"; If installed as a regular user, run "cd $NSHDIR ; bin/nsh"
  5. To uninstall NSH Utilities, cd where the nsh package was installed (eg. /usr/local/nsh), and run "./Uninstall"

Windows

  1. Run nsh-setup.exe
  2. Type the activation key to unlock the NSH Utilities. Unlike those for Unix, the NT package is not free.
  3. Open a DOS box, cd to where the NSH Utilies is located, and type nsh

Note: Unlike the Unix packages, the NSH Utilities for Windows NT does not include the RSCD Agent in the installation like in the UNIX downloads; It will have to be downloaded separately.

Note: The activation keys are package-specific. In other words, the activation key that you received to install the RSCD Agent cannot be used to install the NSH Utilities package, and vice-versa.

NSH Weirderies

Q&A

On a Linux host, I chose to install just the NSH Utilies: Why am I prompted to set a TCP port?

Please select the TCP/IP communications port (def: 4750):

Ran Uninstall to remove the NSH Utilies.... and I can no longer run any standard commands!

# pwd
/bin
# ./ls -al
nsh: ./ls: cannot execute remote binary file

Remember to close the nsh shell that you are running before uninstalling...

Why does it talk about cut when I run nsh?

# nsh
 
Usage: cut -c list [file1 ...]
cut -f list [-s] [-d delim] [file ...]

Uninstalling NSH leaves stuff

# cd ..
# ./nsh/Uninstall
 
Are you sure you wish to Uninstall the RSCD and/or the Network Shell ? y
=============== Stoping RSCD Agent (if running) ==============
================== Removing Shared Libraries =================
+ rm -f /lib/libeay.so
+ rm -f /lib/libeay.so.1.0
+ rm -f /lib/libnc.so
+ rm -f /lib/libnc.so.1.0
+ rm -f /lib/libzlib.so
+ rm -f /lib/libzlib.so.1.0
============== Removing/Updating Startup Script ==============
+ rm -f /etc/rc.d/rc2.d/S99rscd /etc/rc.d/rc3.d/S99rscd /etc/rc.d/rc4.d/S99rscd /etc/rc.d/rc5.d/S99rscd /etc/rc.d/init.d/rscd
===================== Removing RSCD Files ====================
Removing /bin/nsh link ...
... done
Removing links ...
... done
Removing regular files ...
... done
Removing directories ...
rmdir: `man/pdf': No such file or directory
rmdir: `include/rsc': No such file or directory
rmdir: `include': No such file or directory
rmdir: `bin': Directory not empty
rmdir: `share/sudo': No such file or directory
rmdir: `share': Directory not empty
... done
 
# l /usr/local/nsh/
total 20
drwxr-xr-x    5 root     root         4096 Aug 19 03:09 ./
drwxr-xr-x   14 root     root         4096 Aug 19 02:55 ../
drwxr-xr-x    2 bin      bin          4096 Aug 19 03:09 bin/
drwxr-xr-x    5 bin      bin          4096 Aug 19 03:09 share/
drwxrwxrwx    2 bin      bin          4096 Aug 19 03:00 tmp/

What if I don't create an exports file on a host running the RSCD Agent?

The remote client gets ro (read only), nosuid (no set UIG/GID), and nomknod(no creating of special files).

Do I need to restart the RSCD Agent after editing the exports file?

No.  It is is automatically re-read and all subsequent  client  connections will  have the new access permissions, while currently-connected clients are unaffected.

What is the difference between distributed commands and remote commands?

Distributed commands are available remotely, so can be launched directly, eg. mkdir //remote/test. Remote commands need to be launched indirectly through nexec. The distinction is crutial if you want to restrict which commands are accepted by an RSCD Agent in the exports file.

Can an RSCD Agent run on a multi-homed host?

(From the Support section) To select an alternate address to listen on, use the "secadmin" command on the Agent (server) host. Use the port redirection feature, which consists of a port and hostname, to select the address and port to listen on.

How do I increase data confidentiality with SSH?

From what I gather, the admin station must be running the SSH client in addition to the RSCD Daemon, the remote host must be running the SSH server in addition to the RSCD Agent, the admin RSCD Daemon must be set up to forward data to the local, SSH client, which sends data to the remote SSH server, which itself forwards data to its local, RSCD Agent.

Do I need to mess with the exports/users/secure on hosts running RSCD Daemon?

When running the Uninstall app to remove the NT RSCD Daemon + Utilities, files are removed but I'm left with a directory tree in C:\nsh\

Under NT, I'm prompted for an activation key when installing the RSCD Daemon + Utilities: Is the NT Daemon/Utilities only available in the Full version?

Looks like the Daemon + Utilities package is free only for Unix platforms.

Failed copying between an NT Daemon and a remote Linux Agent

C:\nsh\bin>nsh
W2K $ cp c:\autoexec.bat //mylinux/tmp
cp: Unable to access file c:autoexec.bat: Not super-user

Replace the above with  /c/autoexec.bat

Failed deleting a file on a remote  host from a Windows host

W2K $ rm //mylinux/tmp/autoexec.bat
rm: //mylinux/tmp/autoexec.bat non existent: Encryption configuration error

Need to play with exports/users/secure?

If a remote Windows host has more than one partition, NSH uses the first partition as default

For instance, ll //w2k and ll //w2k/c are synonymous. Could be dangerous.

Resources

Man pages