🚀🚀A high-performance and high-concurrency ssh tool written in Go. It is 10 times faster than Ansible. If you need much more performance and better ease of use, you will love it.
License: MIT License
I plan to add a new feature: Allow to connect to the target linux servers by specifying a ssh proxy server.
For preventing the file with the same name on the target host from being silently overwritten.
For security reasons, it is necessary to provide a feature for detecting dangerous commands, and user can customize the command blacklist. If there is no customization, the default blacklist provided by the tool will be used.
The command line:
$ gossh command -h OR $ gossh script -h
...
Flags:
...
-n, --no-safe-check ignore dangerous commands (from '-B,--run.command-blacklist') check
...
Global Flags:
...
-B, --run.command-blacklist strings commands that are prohibited from execution on target hosts
(default: rm,reboot,halt,shutdown,init,mkfs,mkfs.*,umount,dd)
...Or customize command blacklist in config file:
run:
# Linux Command Blacklist for gossh subcommands 'command' and 'script'.
# Commands listed in this blacklist will be prohibited from executing on remote hosts for security reasons.
# You can add flag '-n, --no-safe-check' to disable this feature.
# Default: ["rm", "reboot", "halt", "shutdown", "init", "mkfs", "mkfs.*", "umount", "dd"]
command-blacklist: []E.g.
Before:
After:
Plan:
The subcommand fetch will not support zip by default to improve transmission efficiency in most scenarios.
In addition, the -z flag will be provided to use the original method of compressing before transmission.
@windvalley thanks for creating this awesome tool.
let me how to provide different usernames for servers like providing ansible_user in ansible inventory file.
[targets]
localhost ansible_connection=local
other1.example.com ansible_connection=ssh ansible_user=myuser
other2.example.com ansible_connection=ssh ansible_user=myotheruser
I have two logins roze and roze2.
On target host (kom) sudoers with such entry.
roze,roze2 ALL=(ALL) NOPASSWD: ALL
I can run right on target host simple:
/tmp: sudo -u roze touch b2
ls -l b2
-rw-r----- 1 roze xxx 0 2 bře 23:23 b # OK
but when I run
gossh command kom -U roze -s -e "cd /tmp; touch /tmp/pokus " -v -p ....
[DEBUG] 2024-03-02 23:39:56.182174 kom: execute command 'sudo -u roze -H bash -c ' cd /tmp; touch /tmp/pokus'' success, output: shell-init: chyba při zjišťování současného adresáře: getcwd: rodičovské adresáře nejsou přístupné: Přístupová práva souboru neumožňují provádět zadanou činnost.
chdir: error retrieving current directory: getcwd: cannot access parent directories: The file access permissions do not allow the specified action.
kom 2024-03-02 23:39:56.182553 | SUCCESS >>
shell-init: chyba při zjišťování současného adresáře: getcwd: rodičovské adresáře nejsou přístupné: Přístupová práva souboru neumožňují provádět zadanou činnost.
chdir: error retrieving current directory: getcwd: cannot access parent directories: The file access permissions do not allow the specified action.
[INFO] 2024-03-02 23:39:56.182597 success count: 1, failed count: 0, elapsed: 0.43s
/tmp/pokus was not created
how is it possible that failed count is 0 ??
================
AIX 7.2
gossh version
gitVersion: 92e3206
gitCommit: 92e3206
gitTreeState: clean
buildDate: 2024-02-25T11:23:47Z
goVersion: go1.20.2
compiler: gc
platform: aix/ppc64
E.g.:
Host pattern foo[1-3,9].sre.im that from command line arguments.
Expand to host list:
foo1.sre.im
foo2.sre.im
foo3.sre.im
foo9.sre.im
Inventory file demo:
# This is a hosts inventory file for gossh
# no group hosts
alias_name_node1 host=node1.sre.im
node100.sre.im
# hosts group
[webserver]
alias_name_node2 host=192.168.33.12 port=8022 user=vagrant password=123456 keys=~/.ssh/id_dsa,~/.ssh/id_rsa passphrase=xxx
node[06-07].sre.im port=9022 user=lisi password=654321
node08.sre.im
# host vars for group webserver
[webserver:vars]
port=8033
user=wangwu
[dbserver]
192.168.1.10
[dbserver:vars]
user=vagrant2
password=abcdefg
# hosts group project1 has hosts that defined in group dbserver and group webserver
[project1:children]
dbserver
webserver
When encountering the following error output of the remote server, it had been stuck for a long time, and flag --timeout.command did not work in this scenario:
ssh: handshake failed: read tcp 10.161.115.122:47572->10.16.153.130:22: read: connection reset by peer
Colorful output that like ansible.
Before:
Optimized:
For example:
$ gossh command "f[01-02].infra.sre.im" -e "ls -l /root" -kOutput:
f01.infra.sre.im | 2022-01-07 15:52:42 | FAILED >>
ls: /root: Permission denied
f02.infra.sre.im | 2022-01-07 15:52:43 | SUCCESS >>
ls: /root: Permission denied
All the records output above should be FAILED.
Demo:
$ gossh vault -h
Encrypt sensitive content such as passwords so you can protect it rather than
leaving it visible as plaintext in public place. To use vault you need another
password(vault-pass) to encrypt and decrypt the content.
Usage:
gossh vault [command]
Available Commands:
decrypt Decrypt content encrypted by vault
encrypt Encrypt sensitive content
Flags:
-h, --help help for vault
Global Flags:
-V, --auth.vault-pass-file string file that holds the vault password for encryption and decryptionFor making it easier to understand the functional scope of the subcommand exec.
感觉工具挺好的,但是好像停更了?
推送文件的zip压缩解压缩的功能是否可以设置个开关?这功能影响执行效率。
Now, there are three authentication methods: password, pubkey, ssh-agent.
If the 3 auth methods are all valid, the current priority order is password > pubkey > ssh-agent.
But I think a more reasonable order should be: ssh-agent > pubkey > password. The next gossh version will adjust the order to this.
Tips:
You can observe the actual authentication method used from the /var/log/secure file of the target host.
tail -f /var/log/secureFor example:
# Use sudo as root to copy no permission files.
$ gossh fetch host1 -f /root/foo.txt -d ./backup/ -s
# Use sudo as 'zhangsan' to copy no permission files.
$ gossh fetch host1 -f /home/zhangsan/foo.txt -d ./backup -s -U zhangsan$ gossh command -e "uptime" 10.16.130.100 -k -jOutput:
Password:
{"hostname":"10.16.130.100","level":"error","msg":"failed","output":"15:16:07 up 434 days, 11:38, 11 users, load average: 0.00, 0.00, 0.00","status":"SUCCESS","time":"2022-01-05 15:16:07"}
{"level":"info","msg":"success count: 1, failed count: 0, elapsed: 0.91s","time":"2022-01-05 15:16:07"}
Should be:
Password:
{"hostname":"10.16.130.100","level":"info","msg":"success","output":"15:16:07 up 434 days, 11:38, 11 users, load average: 0.00, 0.00, 0.00","status":"SUCCESS","time":"2022-01-05 15:16:07"}
{"level":"info","msg":"success count: 1, failed count: 0, elapsed: 0.91s","time":"2022-01-05 15:16:07"}
AIX v.7.2
go env
GO111MODULE=""
GOARCH="ppc64"
GOBIN=""
GOCACHE=.
GOENV=
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="ppc64"
GOHOSTOS="aix"
GOINSECURE=""
GOMODCACHE="/home/go/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="aix"
GOPATH="/home/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/opt/freeware/lib/golang"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/opt/freeware/lib/golang/pkg/tool/aix_ppc64"
GOVCS=""
GOVERSION="go1.20.2"
GCCGO="gccgo"
GOPPC64="power8"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/home/go/src/gossh/go.mod"
GOWORK=""
CGO_CFLAGS="-O2 -g"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-O2 -g"
CGO_FFLAGS="-O2 -g"
CGO_LDFLAGS="-O2 -g"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -maix64 -pthread -mcmodel=large -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build1254645141=/tmp/go-build -gno-record-gcc-switches"
==========> Building binary 'gossh' v1.15.1 for aix ppc64
github.com/spf13/viper
../../pkg/mod/github.com/spf13/[email protected]/watch.go:8:25: undefined: fsnotify.Watcher
../../pkg/mod/github.com/spf13/[email protected]/watch.go:11:18: undefined: fsnotify.NewWatcher
make[1]: *** [scripts/makefiles/go.makefile:54: go.build.aix_ppc64.gossh] Error 1
make: *** [Makefile:43: build] Error 2
I found a similar case spf13/viper#1416
Wouldn't it be possible to solve/bypass it in a similar way?
Hi, thanks for your excellent work. Currently command gossh vault encrypt only obtains the plaintext to be encrypted from the argument. For security reasons, can you consider adding the feature of obtaining plaintext from promt?
For example:
$ gossh vault encrypt -V ./vault-pass.txt
Plaintext:
Confirm plaintext:
Sudo password prompt like follows should be trimmed from output of the target hosts:
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for userfoo:
Available Commands:
command Execute commands on target hosts
completion generate the autocompletion script for the specified shell
config Generate gossh configuration file
fetch Copy files/dirs from target hosts to local
help Help about any command
push Copy local files/dirs to target hosts
script Execute a local shell script on target hosts
vault Encryption and decryption utility
version Show gossh version information
The default completion command that from cobra is lowercased, but another default help command that from cobra is uppercased.
Recommendation: Make them all uppercase.
In order to use the default configuration file more flexibly, I plan to add $PWD/.gossh.yaml, and it has a higher priority than $HOME/.gossh.yaml.
One of the cores of the subcommand fetch is to zip(zip command required on target host) the target files and directories into a temporary directory on target host. The default temporary directory is /tmp, you can change it by flag -t/--tmp-dir for some reason, e.g. insufficient space in default /tmp.
Plan to add flag:
-t/--tmp-dir directory of target hosts for storing temporary zip file (default /tmp/)
For security reasons, in addition to holding plaintext vault password, the file that from -V, --auth.vault-pass-file can also be an executable script file, so that you can write code to retrieve vault password stored in a database, or from an api or other secure location.
the default config generated by
gossh config >$HOME/.gossh.yamlis
# Identity files of pubkey authentication.
# Default:
# - $HOME/.ssh/id_rsa
# - $HOME/.ssh/id_dsa
identity-files:
-
gossh exec 192.168.5.31 -e "uptime" -v
level=debug msg=Using config file: /home/mate/.gossh.yaml time=2021-12-31 14:00:04
level=debug msg=Config contents: {"auth":{"user":"mate","password":"","ask-pass":false,"file":"","identity-files":[""],"passphrase":""},"hosts":{"file":"","port":22},"run":{"sudo":false,"as-user":"root","lang":"","concurrency":1},"output":{"file":"","json":false,"quiet":false,"verbose":true},"timeout":{"conn":10,"command":0,"task":0},"proxy":{"server":"","port":22,"user":"","password":"","identity-files":[""],"passphrase":""}} time=2021-12-31 14:00:04
level=debug msg=Auth: password of the login user not provided time=2021-12-31 14:00:04
level=debug msg=Auth: read identity file '' failed: open : no such file or directory time=2021-12-31 14:00:04
msg=Auth: no valid identity files time=2021-12-31 14:00:04 level=debug
level=debug msg=Auth: no valid authentication method detected. Prompt for password of the login user time=2021-12-31 14:00:04
Password:the default config should be
# Identity files of pubkey authentication.
# Default:
# - $HOME/.ssh/id_rsa
# - $HOME/.ssh/id_dsa
identity-files: []
gossh version v1.0.1
Support copying directory under the local src dir to the remote dest dir.
For example:
$ gossh script foo66.shenzhen.bar.com "foo[01-20].[beijing,wuhan].bar.com" -LOutput:
foo66.shenzhen.bar.com
foo01.beijing.bar.com
foo01.wuhan.bar.com
foo02.beijing.bar.com
foo02.wuhan.bar.com
foo03.beijing.bar.com
foo03.wuhan.bar.com
foo04.beijing.bar.com
foo04.wuhan.bar.com
foo05.beijing.bar.com
foo05.wuhan.bar.com
foo06.beijing.bar.com
foo06.wuhan.bar.com
foo07.beijing.bar.com
foo07.wuhan.bar.com
foo08.beijing.bar.com
foo08.wuhan.bar.com
foo09.beijing.bar.com
foo09.wuhan.bar.com
foo10.beijing.bar.com
foo10.wuhan.bar.com
hosts (21)
$ gossh script foo66.shenzhen.bar.com "foo[01-20].[beijing,wuhan].bar.com" -L | head Output:
hosts (21)
foo66.shenzhen.bar.com
foo01.beijing.bar.com
foo01.wuhan.bar.com
foo02.beijing.bar.com
foo02.wuhan.bar.com
foo03.beijing.bar.com
foo03.wuhan.bar.com
foo04.beijing.bar.com
foo04.wuhan.bar.com
foo05.beijing.bar.com
$ gossh script foo66.shenzhen.bar.com "foo[01-10].[beijing,wuhan].bar.com"Output:
Error: need flag '-e/--execute' or '-L/--hosts.list'
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.