0

SUMMARY: My script which includes ssh runs fine from the command line but the ssh part does not work when the script is called by an an automated daemon (apcupsd).

DETAIL: I've got an ESXi server and I've got a CentOS 6.5 VM on it dedicated to monitoring an APC Backup UPS (via USB). I'm using APCUPSD to do this. The theory is that in the event of an extended powerloss it will ssh into the ESXi host to shut the system down. Everything works in terms of connectivity to the UPS and detecting power failure etc and calling a script (on the CentOS VM) when the time comes to do the shutdown.

I have setup keys using ssh-keygen etc so I can ssh into the ESXi host without needing a password.

If I run the script manually from the command line it works fine.

But it doesn't when called automatically by apcupsd.

Specifically it is the ssh command that isn't working (other lines in my script run fine).

I've tried changing the command I'm running to a simple ls and redirecting output to a file (again this works fine when run manually from the command line).

When triggered automatically my output file is created but it is zero bytes.

I've tried numerous different options with SSH including -i and -n. I can't seem to get any detailed error messages (e.g. with -v)

Looking at /var/log/auth.log on the ESXi host it suggests it hasn't even attempted to make a connection.

A few things I've tried:

/usr/bin/ssh -o StrictHostKeyChecking=no -x root@X.X.X.X "ls" >output_file
/usr/bin/ssh -n -i /root/.ssh/id)dsa root@X.X.X.X "ls" >output_file
ssh -n root@X.X.X.X >output_file

If I echo $? >output_file I get a return code of 126 which I believe is CLI_ERR_NOT_AUTHORIZED Authorization error: the user does not have sufficient privileges to execute command. The thing is I believe apcupsd will be running as root so I would have thought it would have the necessary privileges.

Can anybody help?

george
  • 71
  • 9
  • 1
    You say you've run it manually, and it's fine. Have you done so *as the `apcupsd` user*? – MadHatter Apr 25 '14 at 14:23
  • ssh -v may also shed some light on quite why it's failing. – Sobrique Apr 25 '14 at 14:27
  • Any time I have had issues running ssh via a script it was due to TTY allocation. Try with the -T flag? Or perhaps -t .. never sure which... – Daniel Widrick Apr 25 '14 at 15:00
  • When you run it from the command line, are you running it as the root user? – Bill Horvath Apr 25 '14 at 15:21
  • @MadHatter I believe the apcupsd program runs as root? `whoami >output_file` suggests this to be true. – george Apr 26 '14 at 21:45
  • @Sobrique I still can't get to see the output. My redirect to a file results in an empty file. – george Apr 26 '14 at 21:48
  • @IVlint67 I have not tried -t but will see if it makes a difference. – george Apr 26 '14 at 21:49
  • @BillHorvathII yes I am running it as root from the command line. – george Apr 26 '14 at 21:49
  • @lVlint67 I have just tried both -t and -T without success – george Apr 27 '14 at 15:10
  • `ssh -v` writes to `STDERR` - so you'll need to do something like `ssh -v 2>ssh.out` – Sobrique Apr 28 '14 at 08:25
  • @Sobrique Thanks, I was redirecting STDOUT hence not getting anything in the file. I've tried using 2>outputfile but I now get /usr/bin/ssh: Permission denied. Googling that reveals loads of issues with public keys etc but it's not getting that far. It's like it's not even running the ssh command. Having the -v switch makes no difference. I've checked the permissions on /usr/bin/ssh and they're rwxr-xr-x. As far as I know apcupsd is running as root anyway. Any more ideas? – george Apr 28 '14 at 14:30
  • 'permission denied' is a bit warning bell, and is probably your root cause here. Either the ssh binary, the directory structure or some of the files it's accessing. Any chance you've an NFS mount which disallows root access? – Sobrique Apr 28 '14 at 14:33

1 Answers1

1

Check /var/log/messages for messages like "apcupsd: Failed to get a pseudo terminal: Permission denied". If you see these, it may be SELINUX blocking you. Try "setenforce 0" to temporarily disable SELINUX and see if it works. If that solves the issue, you should see denied errors in /var/log/audit/audit.log.

Run "sudo yum install policycoreutils-python". Then run "grep apcupsd /var/log/audit/audit.log | audit2allow -M mypol" and "semodule -i mypol.pp" to allow apcupsd to execute SSH sessions.

D4rkH3lm3t
  • 11
  • 1
  • Thanks for the comments although since the original issue was over 3 years ago I managed to find some workaround. – george Jul 18 '17 at 08:35