Re: Redirecting SSH output

Gerhard Olsson · ‎05-12-2005

Using SSH to execute single commands on a remote host (Solaris) with public keys using empty passphrases. The commands collects statistics back to the OpenVMS server, so the usage is "safe" but rexec service on the remote nodes may not be available.

The SSH command exit status is not propagated to DCL. As a workaround, I tried to use redirect to get the messages to a file. Setting SYS$OUTPUT,SYS$ERROR does not give any output, the same for PIPE.

The only workaround that I have found is to submit a batch job, wait for the completion and read the log file.

Any better ways?

(My impression is that MultiNet may work better, but that will be difficult to provide for our customers.)

OpenVMS 7.3.2 with TCPIP ECO 4

Gerhard

Karl Rohwedder · ‎05-12-2005

Can't you just call the DCl routine with /OUTPUT?, e.g.

$ type a.com
$ rsh doe01p sh time
$ @a.com/out=a.log
$ type a.log
13-MAY-2005 07:26:33

regards Kalle

Gerhard Olsson · ‎05-12-2005

Thanks for the tip, but ssh does not work at all in direct command procedures.....
ssh does not use sys$output and in some way takes control of the terminal directly. I am looking for a way to take bak control of the terminal output.

$ type t.com
$ ssh go@10.1.2.57 "getStat"
$ @t
FATAL: ssh_io_register_fd: fd 3 already registered!

%TCPIP-F-SSH_FATAL, non-specific fatal error condition
$ subm t
Job T (queue SYS$BATCH, entry 2760) started on SYS$BATCH
$ type sys$login:t.log
$ Set NoOn
$ VERIFY = F$VERIFY(F$TRNLNM("SYLOGIN_VERIFY"))

Usage: getStat [-n ]
MsnExitStatus: 1 Usage: getStat [-n ]
GO job terminated at 13-MAY-2005 07:58:48.11

Accounting information:
Buffered I/O count: 618 Peak working set size: 7328
Direct I/O count: 315 Peak virtual size: 177920
Page faults: 824 Mounted volumes: 0
Charged CPU time: 0 00:00:00.56 Elapsed time: 0 00:00:02.86
$

Ian Miller. · ‎05-12-2005

have a look in the release notes about batch mode

____________________
Purely Personal Opinion

Gerhard Olsson · ‎05-12-2005

SSH in batch mode seem to be fixed in ECO4. (There are two notes about it). The note about ssh not working in batch is however not removed. It seems like this note should have been removed.

ECO 3 updates
-------------
ECO F 25-JUN-2004 Alpha, IA64

Problem:

Cannot run ssh2, scp2, or sftp2 clients in batch mode.
In some cases, running from within a command procedure did not
work either.

13: Updates for SSH release notes
- ssh, sftp and scp do not work correctly in batch mode

Ian Miller. · ‎05-12-2005

does batch mode make redefining sys$output work?

____________________
Purely Personal Opinion

Gerhard Olsson · ‎05-12-2005

Setting sys$output does not work in batch either

You can redirect SSH warning messages, for instance the using flag "-v", but not the actual command output.

/Gerhard

Jan van den Ende · ‎05-12-2005

Gerhard,

it _COULD_ be a version thing, but we have been using rsh commands from procedures for some time, and I cannot remember any issues.
We started on VMS 7.2-1 / TCP 5.1, and currently have VMS 7.3-2 / TCP 5.4 ECO 2.
Atmittedly, NOT to Solaris, but to some other VMS boxes.

The only strange thing in my view is your syntax:

$ ssh go@10.1.2.57 "getStat"

I do not recognise the "go@" part.

That looks like a syntax specifying user "go" at node 10.1.2.57
If so, we use $ SSH /USER=go ...

-- oh. If "go" is lowercase on the remote machine (it IS *UX !! ), then on VMS it should be between quotes.

Maybe THAT is your issue ?

Success.

Proost.

Have one on me.

jpe

Don't rust yours pelled jacker to fine doll missed aches.

Gerhard Olsson · ‎05-12-2005

>> I do not recognise the "go@" part.

user@host is how you specify user at remote node normally in ssh. "ssh" accepts "-l" (as does OpenVMS RSH), but scp only accepts "@" syntax.
Thanks for the suggestion though, but "-l" and "@" syntax works the same.

The problem is the bad port of ssh. There are a number of issues still. A few of them bothering me:
* ssh does not propagate error codes or use sys$output and sys$error
* scp only works for stm_lf and fixed512
* crash if more than one line in "IDENTIFICATION."
* scp -p crashes

ReleaseNotes has more.
/Gerhard

Wim Van den Wyngaert · ‎05-12-2005

I don't understand that HP released such a monster.

Btw : my ssh says "Copyright 1976". That old and stil so bad.

I use task-to-task to do the job :
. with capture of output
. with option of doing multiple commands in 1 process (=1 command line)
. with status of each command given back to origin node

Wim

Wim

Gerhard Olsson · ‎05-13-2005

Jan, is that interactive or in batch as well?
Can you explain more in detail?

Gerhard

If it is OpenVMS, you expect it to work. The only problem is when something is not implemented but then it is documented. If I knew this from the beginning, I could have pushed other alternatives, but this too late know.
For ssh, HP took a bunch of non-VMS programmers without VMS knowledge to do the port. I do not believe OpenVMS programmers to release something like this.

Gerhard Olsson · ‎05-13-2005

I mixed up the responses when writing and wrote Jan instead of Wim.
Gerhard

Wim Van den Wyngaert · ‎05-13-2005

G,

This posted script is a very complex procedure with references to other stuff but you can read it to get the idea. The second script starts after a line of *.

The usage is :
$remote_command "show time" SRV
(if you have the missing parts to define the nodes belonging to SRV)
or
$remote_command "show time" node::
(if you don't have it)

But it isn't encrypted.

Wim

Wim

Wim Van den Wyngaert · ‎05-13-2005

Here is how the output looks like.

WSYS01/MGRWVW>rcom "show time" srv
Will execute show time

ABETV1 at 2005-05-13 14:57:48.25
13-MAY-2005 14:57:49

ABETV2 at 2005-05-13 14:57:49.30
13-MAY-2005 14:57:50

ALP10 at 2005-05-13 14:57:50.32
13-MAY-2005 14:57:52

ALP20 at 2005-05-13 14:57:52.62
13-MAY-2005 14:57:53

.....

WPVMX2 at 2005-05-13 14:58:10.67
%RMS-E-ACC, ACP file access failed
*** Can not communicate with WPVMX2

Execution statistics for show time

Command successfully on 23 nodes
ABETV1,ABETV2,ALP10,ALP20,CSMM01,DVPM01,MXM01,SALPV1,SALPV2,SBAPV1,SBAPV2,
SDEPV1,SPVCS1,SPVCS2,SPVMX1,SPVMX2,SVBET1,SVBET2,SVCSM1,SVCSM2,SVMRX1,SVMRX2,
SY2KV3

Node unreachable on 6 nodes
SARBV1,SBETV1,SBETV2,SIVM01,WPVMX1,WPVMX2

LAT reachable, DECnet unreachable on 2 nodes
SBETV1,SBETV2

Wim

Ian Miller. · ‎05-13-2005

for remote execution of commands on a VMS in a non-interactive fashion where DECnet is available then SYSMAN is the program to use.

But the original question wants TCP/IP and encrypted.

I agree with the comments on the ssh port. Keep complaining at hp and eventually they will assign some resource to do this properly (I hope).

____________________
Purely Personal Opinion

Wim Van den Wyngaert · ‎05-13-2005

Ian,

Sysman is OK for simple things but :
1) doesn't have the users environment
2) can only execute 1 command per process (per do)
3) no return status
4) just noticed, runs with base prio 7, so may disrupt production
5) less node selection possibilities

Wim

Wim

Jan van den Ende · ‎05-13-2005

Re Wim,

I agree on 1-4, but #5?

Define any relevant combination of nodes as a searchlist in SYSMAN$NODE_TABLE, and use that name in
SYSMAN> NODE=..

or,
in SYSMAN.INI,

or,
define SYSMANINI , and define in that file.

HTH

Proost.

Have one on me.

jpe

Don't rust yours pelled jacker to fine doll missed aches.

Gerhard Olsson · ‎05-15-2005

The setup is for accessing Solaris nodes, so OpenVMS native methods is not possible...
The issue is not to get an encrypted channel to the remote node, but avoid letting the password in the clear, that is done with rsh/rexec.

I plan to use something like the command procedure below. The scripts in Solaris have been modified to write the exit status, and a reason. The exit status must be unique enough to not get false matches...

$ type t2.com
$! Command procedure to execute ssh commands on remote node
$! The command on the remote node must write the exit status in the
$! output text (including reason) as the exit status is not propagated
$!
$ ws="WRITE SYS$OUTPUT"
$ cmd="getStat"
$ call test_ssh "go@10.1.2.57" "''cmd'"
$ write sys$output "''exit_status':''reason'"
$ exit
$
$test_ssh: subroutine
$ remnode="''p1'"
$ cmd="''p2'"
$!Use separate que to minimize the risk for deadlock
$ bqueue="''f$getsyi(""nodename"")'_bat"
$ key_string="ExitStatus:"
$get_files:
$ tmp=F$UNIQUE()
$ bfile="SYS$LOGIN:''tmp'.COM"
$ lfile="SYS$LOGIN:''tmp'.LOG"
$ IF f$search(bfile) .nes. "" .or. f$search(lfile) .nes. "" -
THEN GOTO get_files
$ open/WRITE f 'bfile'
$ write f "ssh ""''remnode'"" ""''cmd'"""
$ close f
$ SUBMIT/QUEUE='bqueue' 'bfile'
$ synchronise /entry='$entry'
$ open F 'lfile'
$ LOOP_CMD:
$ READ F str/END=end_loop_cmd_nomatch
$ IF f$length(str) .eq 0 THEN GOTO LOOP_CMD
$ IF f$locate (key_string,str) .eq. 0
$ THEN
$ tmp=f$extract(f$length(key_string)+1, f$length(str), str)
$ tmp=f$edit(tmp,"TRIM")
$ exit_status==f$element(0," ",tmp)
$ tmp2=f$extract(f$length(exit_status)+1, f$length(tmp), tmp)
$ reason==f$edit(tmp2,"TRIM")
$ GOTO end_loop_cmd
$ ENDIF
$ GOTO LOOP_CMD
$ end_loop_cmd_nomatch:
$ ws "Warning: did not find ''key_string' in ''cmd'"
$ exit_status==-1
$ reason=="No information"
$ end_loop_cmd:
$ CLOSE F
$ DELETEE 'bfile';0,'lfile';0
$ RETURN

Gerhard Olsson · ‎05-15-2005

Wim: Thanks for the script. Not exactly what I was looking for but sharing is always apreciated.

I will not close this thread yet, I still believe there is possibility to take control of the output for ssh...

Wim Van den Wyngaert · ‎05-16-2005

Just a note for Jan,

Node slection : in the script we use dspn. This tool allows you to assign a number of ketwords to each node. Then you can use boolean expressions using these keywords.

E.g. (SRV .AND. DVP) .AND. .NOT. CSM
(all servers for devlopment not located in our CSM building).

Wim

Wim

Tom Musson · ‎05-27-2005

It's kind of a hack, but if you redirect stderr to stdout in the shell coammnd, the text is then sent to stdout on VMS and you can capture the exception to a file by defining sys$output:.

e.g.

$ set verify
$ define sys$output temp.txt
$ ssh user@host "invalid 2>&1"
$ deassign sys$output
$ type temp.txt

Executes as:

(11:57:51) $ define sys$output temp.txt
(11:57:51) $ type temp.txt
(11:57:51) $ ssh user@host "invalid 2>&1"
bash: line 1: invalid: command not found
(11:57:51) $ deassign sys$output

You still have to serach for the exception, but you don't need to submit a seperate batch job.

Regards,

Tom

Gerhard Olsson · ‎05-27-2005

Defining SYS$OUTPUT was the first thing I tried, but SSH does not follow the redirections. The batch hack works, but it is definetely a hack.

/Gerhard

Tom Musson · ‎05-27-2005

Gerhard,

If you look at my example, you'll see that it does work. You have to redirect the Unix stderr to the Unix stdout (in the SSH command via "2>&1"), then the Unix stderr output will be written to the VMS sys$output and hence can be captured.

Regards,

Tom

Gerhard Olsson · ‎05-27-2005

Tom, thanks for the input, but the outputs on the Unix side is not the problem. Both the stderr and stdout is included, and I can change the Unix scripts to not use stderr.

The problem is that ssh does not use sys$output or sys$error for output. The redirection on the DCL side is not working, I do not get any contents in the file. If you get redirection to work, it may be something in our setups that differ. I use public key without passphrase to Solaris 9, but no special settings what I know about.

Gerhard

Tom Musson · ‎05-27-2005

Gerhard,

Well, it must be (as you say) some environment difference. I am getting the output to sys$output, but only if I redirect stderr on the Unix side.

I am using VMS 7.3-2, TCPIP V5.4 - ECO 4. I, too, am using public key without passphrase, but to Linux.

Regards,

Tom

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: Redirecting SSH output

Redirecting SSH output