Firstly let me say that embedding roots password in a script (any script) is very nasty and should be avoided at all cost!
Since you don't seem to have a requirement to capture the output of the ssh command then the best solution (security wise) is to add a crontab entry on each host to run the script. No cross network priveledges required.
If that is not a feasible option for some reason that you have not given us then read up on SSH forced commands. Basically a forced command is an SSH key pair which allows the running of only commands that you specify. It can be used with root with reasonable safety. If you use perl for your forced command (of course!) then you can switch on taint mode and basically treat it like a CGI (ie don't trust anything!). I have been meaning to write a tutorial on perl/ssh forced commands, here is some sample code for you-
Sample call of ssh forced command using open3 so we can capture STDOUT & STDERR and also talk to STDIN (if required) on the remote host:
my $ssh = "/usr/local/bin/ssh";
my @ssh_cmd_to_run=($ssh, "-i", $key_file, "user\@$host", "scriptn
+ame", "options");
open3(*SSH_IN, *SSH_OUT, *ERROR, @ssh_cmd_to_run);
print SSH_IN $parameters_you_dont_want_seen;
close(SSH_IN);
my $return = <SSH_OUT>;
close(SSH_OUT);
my @error=<ERROR>;
close(ERROR);
Sample ssh forced command would be something like this (untested)-
#!/usr/bin/perl -wT
#
BEGIN {
delete @ENV{qw(IFS CDPATH ENV BASH_ENV)};
$ENV{PATH} = "";
}
use strict;
process_ssh_command($ENV{SSH_ORIGINAL_COMMAND});
exit;
sub process_ssh_command {
my $ssh_command = shift || '';
if ( ! $ssh_command ){
print "Error: You must specify the command to run\n";
return;
}
if ( $ssh_command =~ /^scriptname\s+(options_regex)$/ ){
my $options= $1 || '';
# do something if options not set
chomp(my $stdin = <STDIN>); # if you need it
# untaint stdin
system("/path/to/scriptname", $options);
return;
}
print "Error: Unknown command or incorrect format \"$ssh_command\"
+\n";
return;
}
I would tend to make the error messages terse so as not to give any information away to any-one snooping!
In roots SSH authorized keys the forced command key would look something like this-
command="/path/to/forced_command.pl" ssh-dss ......
Update:If you look in the sshd(8) manpage under AUTHORIZED_KEYS FILE FORMAT the command="command" section describes this mechanism.
-- my $chainsaw = 'Perl'; |