├── deploy.sh ├── README.md ├── LICENSE ├── gee.sh └── gee_sample_log.txt /deploy.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # Copyright 2014 Google Inc. All Rights Reserved. 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | ACCOUNT=$USER@google.com 17 | PROJECT=70795436982 18 | BUCKET=gce-scripts 19 | gcloud config set account $ACCOUNT 20 | gcloud config set project $PROJECT 21 | gsutil cp gee.sh gs://$BUCKET/gee.sh 22 | # TODO(sub) auto-generate sample log and provide a flag to do skip it 23 | gsutil cp gee_sample_log.txt gs://$BUCKET/gee_sample_log.txt 24 | gsutil setmeta -h "Cache-Control:public, max-age=0, no-transform" gs://$BUCKET/gee.sh gs://$BUCKET/gee_sample_log.txt 25 | gsutil acl set public-read gs://$BUCKET/gee.sh gs://$BUCKET/gee_sample_log.txt 26 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ### This is a troubleshooting script for Compute Engine customer issues 2 | 3 | Self diagnosis tool to identify issues with SSH login/accessibility of your linux based Google Compute Engine instance. Gather relevant diagnostic information in a single exchange for the support team. The tool does not aim to fix any issues, just log information for analysis. 4 | 5 | ### Usage 6 | 7 | Note: ideally you should provide --zone [zone of the instance] to avoid zone lookups 8 | or specify gcloud config set compute/zone [zone_name] 9 | 10 | #### for an existing instance 11 | ``` 12 | gcloud compute instances add-metadata [instance_name] --metadata startup-script-url=http://storage.googleapis.com/[YOUR BUCKET]/gee.sh 13 | ``` 14 | WARNING: the following command will reboot the machine 15 | if uptime is a concern you should snapshot and clone your 16 | disk and instance with the startup-script specified instead 17 | : 18 | 19 | ``` 20 | gcloud compute instances reset [instance_name] 21 | ``` 22 | 23 | if this fails with resource not ready you need to delete the instance keeping the disk take note of the instance configuration than recreate the instance with 24 | 25 | ``` 26 | gcloud compute instances describe [instance_name] 27 | gcloud compute instances delete [instance_name] --keep-disks all 28 | gcloud compute instances create [instance_name] --disk boot=yes name=[instance_disk_name] --metadata startup-script-url=http://storage.googleapis.com/[YOUR BUCKET]/gee.sh 29 | ``` 30 | 31 | #### for a new instance 32 | ``` 33 | gcloud compute instances create [instance_name] --metadata startup-script-url=http://storage.googleapis.com/[YOUR BUCKET]/gee.sh 34 | ``` 35 | 36 | #### You can inspect the output with 37 | ``` 38 | gcloud compute instances get-serial-port-output [instance_name] 39 | ``` 40 | once the instance is up. 41 | 42 | you may use deploy.sh to deploy a modified version of this script to your own GCS bucket redefining the ACCOUNT PROJECT BUCKET variables in the script and calling your addinstance with http://storage.googleapis.com/[YOUR_BUCKET]/gee.sh defined as startup script. 43 | 44 | ### Privacy 45 | 46 | The customer has privacy control with flags which skips the given section 47 | ``` 48 | [..] gee.sh --skip=[network,metadata,authkeys,sshdconf,sshd,sys,usersec,traceroute] 49 | ``` 50 | Read the comments in the code to learn the reason for each command and how to interpret the output. Alternatively if network connection to cloud storage is still working the output can be directed to a file and that copied across after running the tool, which file than can be trimmed by the customer before sending it to the support team. 51 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright [yyyy] [name of copyright owner] 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /gee.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # Copyright 2014 Google Inc. All Rights Reserved. 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | # 16 | # headless usage: 17 | # gcutil addinstance [instance_name] --metadata=startup-script-url:http://storage.googleapis.com/gce-scripts/gee.sh 18 | # 19 | # To check what sort of information will be logged have a look at the sample logfile: 20 | # http://storage.googleapis.com/gce-scripts/gee_sample_log.txt 21 | # WARNING! this tool is logging to the serial console by default which is visible to Google Support 22 | # use the --skip flag to supress some sections of the output or change logging $OUTPUT 23 | # You can have a look at gee_sample_log.txt to see what sort of output the script produces. 24 | # 25 | # Alternatively if network connection to cloud storage is still working the output 26 | # can be directed to a file and that copied across after running the tool, 27 | # which file than can be trimmed by the customer before sending it to the support team. 28 | # 29 | # the flags are not handled with getops to remain POSIX and portable 30 | OUTPUT=default 31 | FORCE=0 32 | VERBOSE=1 33 | while test $# -gt 0 ; do 34 | 35 | # switches 36 | if test "$1" = "-h" ; then 37 | echo "Usage: " 38 | echo "-h This help" 39 | echo "-f force to run without UID 0 (root)" 40 | echo "-v verbose output of each command" 41 | echo "--out=/tmp/logfile full path of the output file," 42 | echo " /dev/kmsg console if unspecified." 43 | echo "--skip=[network,metadata,authkeys,sshdconf,sshd,sys,usersec,traceroute]" 44 | echo " comma separated list of tests to skip." 45 | exit 46 | fi; 47 | if test "$1" = "-f" ; then FORCE=1 ; shift ; continue; fi; 48 | if test "$1" = "-v" ; then VERBOSE=1 ; shift ; continue; fi; 49 | if test "$1" = "-s" ; then SECAT=1 ; shift ; continue; fi; 50 | 51 | # options with arguments 52 | case "$1" in 53 | --out=*) OUTPUT="${1##--out=}" ; shift; continue; break ;; 54 | --skip=*) SKIP="${1##--skip=}" ; shift; continue; break ;; 55 | esac 56 | 57 | # unknown argument: error 58 | echo "Unknown option $1" 59 | exit 1 60 | done 61 | 62 | if [ $(/usr/bin/id -u) -ne 0 ] && [ "$FORCE" != "1" ]; then 63 | echo -n "This script is designed to run as user id 0 (root). Current UID: " 64 | /usr/bin/id -u 65 | echo "Try sudo $0 or run it after sudo su -" 66 | echo "Alternatively rerun with -f flag to ignore this check." 67 | echo "Some tests will fail due to lack of permission!" 68 | exit 69 | fi; 70 | 71 | if [ "$OUTPUT" = "default" ]; then 72 | exec >/dev/kmsg 2>&1 73 | /bin/dmesg -n 8 74 | else 75 | exec >$OUTPUT 2>&1 76 | fi; 77 | 78 | # create a directory for the files generated by the script 79 | # which can be cleaned up at the end in one go 80 | # use the random sequence to make it unique 81 | TMP=$(/bin/mktemp -d -p /tmp) 82 | if [ $? = 0 ]; then 83 | chmod 0700 $TMP 84 | mkdir -p ${TMP}/ssh 85 | chmod 0700 $TMP/ssh 86 | DOTSSH=${TMP}/ssh 87 | else 88 | echo "creating TMP failed" 89 | exit 1 90 | fi; 91 | 92 | if [ -f /bin/traceroute ]; then 93 | TRACEROUTE=/bin/traceroute 94 | elif [ -f /usr/sbin/traceroute ]; then 95 | TRACEROUTE=/usr/sbin/traceroute 96 | else 97 | echo "no traceroute in /usr/sbin or /bin relying on PATH" 98 | TRACEROUTE=traceroute 99 | fi; 100 | if [ "$VERBOSE" = "1" ]; then 101 | PS4='$LINENO :' 102 | set -x; 103 | fi; 104 | 105 | echo '####### GEE #########' 106 | echo $SKIP | grep -qw "network" 107 | if [ $? = 1 ]; then 108 | echo '### Network' 109 | # list the network interface configuration 110 | # check if the configuration matches expectations 111 | # check for problem indicators: errors, overruns, collisions, dropped 112 | /sbin/ifconfig 113 | # check if default resolvers were changed, expected to see: 114 | # nameserver 169.254.169.254 115 | # nameserver 10.240.0.1 116 | cat /etc/resolv.conf 117 | # list firewall rules 118 | # check for any restrictions which can prohibit access 119 | /sbin/iptables-save | egrep -v 'Generated|Completed' 120 | # list routing table 121 | # check for default gateway to check expectations 122 | # check for the correctness of any custom routes 123 | /bin/netstat -rn 124 | # list host access control file 125 | # check if any rule is restricting access 126 | cat /etc/hosts.deny | grep -v ^# 127 | echo 128 | fi; 129 | echo '### SSH and meta server reach' 130 | # check sshd binary integrity, match it with the output from a different 131 | # installation but same distribution and version 132 | md5sum /usr/sbin/sshd 133 | # the below code simply tries to open TCP port 22 on localhost 134 | # and TCP port 80 on the metadata server 135 | # these are just TCP connection tests no attempts are made to 136 | # test the application level 137 | cat << EOF | /usr/bin/env python 138 | import socket 139 | 140 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 141 | result = s.connect_ex(('127.0.0.1', 22)) 142 | 143 | if(result == 0): 144 | print 'tcp port 22 connected:', 145 | print(s.recv(4096)), 146 | s.close() 147 | else: 148 | print 'could not connect to port 22' 149 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 150 | result = s.connect_ex(('169.254.169.254', 80)) 151 | if(result == 0): 152 | print 'metaserver 169.254.169.254:80 connected' 153 | s.close() 154 | else: 155 | print 'metaserver 169.254.169.254:80 connection failed' 156 | EOF 157 | # list the port where sshd is listening 158 | # as well as what is listening on TCP port 22 if not sshd 159 | # check if sshd is running on a non-standard port or if 160 | # a conflicting application is bound to the standard port 161 | # netstat -n no name resolution -t tpc -p pids 162 | /bin/netstat -lntpA inet | egrep 'sshd|:22|PID' 163 | # list the route to apis.google.com 164 | # check if name resolution works correctly: 173.194.66.* 165 | # check response times < 10 miliseconds 166 | # this is without -n to check name lookup as well should complete in 1 hop 167 | ${TRACEROUTE} apis.google.com& 168 | echo 169 | echo $SKIP | grep -qw "metadata" 170 | if [ $? = 1 ]; then 171 | echo '### Authorized meta' 172 | # list the authorized public keys 173 | # fetch both directly with curl and with get_metadata_value 174 | # the two should be the same, if not diff -u will show the difference 175 | META1=${TMP}/authkeys1 176 | META2=${TMP}/authkeys2 177 | /usr/bin/curl -Sso ${META1} http://metadata.google.internal/0.1/meta-data/authorized-keys 178 | cat ${META1} 179 | /usr/share/google/get_metadata_value authorized_keys >${META2} 180 | /usr/bin/diff -su ${META1} ${META2} 181 | rm -f ${META1} ${META2} 182 | fi; 183 | echo $SKIP | grep -qw "authkeys" 184 | if [ $? = 1 ]; then 185 | echo '### Authorized keys' 186 | l=$(grep "^UID_MIN" /etc/login.defs) 187 | l1=$(grep "^UID_MAX" /etc/login.defs) 188 | HOMEDIRS=$(awk -F':' -v "min=${l##UID_MIN}" -v "max=${l1##UID_MAX}" '{ if ( $3 >= min && $3 <= max ) print $0}' /etc/passwd | cut -d ':' -f 6) 189 | echo "$HOMEDIRS" | while read homedir; do 190 | # check the permissions on each path segment for authorized_keys 191 | # expected results are as above the commands 192 | # drwx------ or more permissive permissions 193 | ls -ld $homedir 194 | # drwx------ 195 | ls -ld $homedir/.ssh 196 | # -rw------- 197 | ls -ld $homedir/.ssh/authorized_keys 198 | # list the public fingerprints and validate the keys 199 | # check if any of these keys are present on your client machine 200 | ssh-keygen -lf $homedir/.ssh/authorized_keys; 201 | if [ -f $homedir/.ssh/authorized_keys2 ]; then 202 | ssh-keygen -lf $homedir/.ssh/authorized_keys2; 203 | fi; 204 | done; 205 | fi; 206 | echo $SKIP | grep -qw "sshdconf" 207 | if [ $? = 1 ]; then 208 | echo '/etc/ssh/sshd_config' 209 | # open a secondary ssh daeomon in debug mode for 5 minutes on port 3562 210 | # this exits either after 5 minutes or on first connection 211 | # this only allows to execute echo to check for basic functionality of 212 | # the sshd binary with a cofiguration that is closely resembling the one 213 | # running on the standard port, expected to see: +++ SSH localhost login succcess 214 | egrep -v '^#|^$' /etc/ssh/sshd_config | grep -v Port | grep -v PermitRootLogin | grep -v PasswordAuthentication >${DOTSSH}/sshd_config 215 | cat << EOF >> ${DOTSSH}/sshd_config 216 | Port 3562 217 | PasswordAuthentication no 218 | PermitRootLogin no 219 | Match User root Address 127.0.0.1 220 | PermitRootLogin forced-commands-only 221 | ForceCommand /bin/echo 222 | EOF 223 | SSHD_OPTIONS="-d -f ${DOTSSH}/sshd_config -o 'AuthorizedKeysFile ${DOTSSH}/authorized_keys'" 224 | echo $SSHD_OPTIONS | xargs timeout 5m /usr/sbin/sshd 2>&1 | grep -v 'debug1: rexec_argv' && rm -f ${DOTSSH}/sshd_config & 225 | fi; 226 | echo $SKIP | grep -qw "sshd" 227 | if [ $? = 1 ]; then 228 | ls -ldZ $HOME/.ssh 229 | ls -lZ $HOME/.ssh 230 | KEY=${DOTSSH}/test-key 231 | echo -e '\n\n' | ssh-keygen -q -f ${KEY} -N '' -t dsa -V +2m 232 | echo -n 'from="127.0.0.1",command="/bin/echo" ' > ${DOTSSH}/authorized_keys 233 | cat ${KEY}.pub >> ${DOTSSH}/authorized_keys 234 | chmod 0600 ${DOTSSH}/authorized_keys 235 | ssh -v -p 3562 -i ${KEY} -o StrictHostKeyChecking=no localhost echo "2>&1" && echo "+++ SSH localhost login succcess" || echo "+++ SSH on localhost failed" 236 | rm -f ${KEY} ${KEY}.pub 237 | rm -f ${DOTSSH}/authorized_keys 238 | echo 239 | fi; 240 | echo $SKIP | grep -qw "sys" 241 | if [ $? = 1 ]; then 242 | echo '### System, filesystem, memory' 243 | # OS version info 244 | if [ -f /usr/bin/lsb_release ]; then 245 | /usr/bin/lsb_release -a 246 | else 247 | find /etc -name "*release" -type f -exec cat {} \; 248 | fi; 249 | # list kernel version 250 | /bin/uname -a 251 | # list mounted filesystems and mount configuration options 252 | # check if any filesystem mounted readonly or overlays 253 | # the root filesystem or paths that are required for normal 254 | # functionality 255 | /bin/mount 256 | cat /etc/fstab 257 | # verify that fstab file makes sense 258 | # -f fake the systemcalls 259 | # -a mount all filesystems mentioned in fstab 260 | # -v be verbose about it 261 | /bin/mount -fav 262 | echo 263 | # list free space information of the mounted volumes 264 | # 100% usage on the root filesystem indicates an issue 265 | # and in general is not healthy 266 | /bin/df -l -x tmpfs -P 267 | # check standard OS folders and permissions 268 | ls -ld /dev 269 | ls -ld /proc 270 | ls -ld /etc 271 | ls -ld /tmp 272 | ls -ld /home 273 | ls -ld /bin 274 | ls -ld /sbin 275 | ls -ld /lib 276 | ls -ld /lib64 277 | ls -ld /usr 278 | ls -ld /usr 279 | ls -ld /usr/bin 280 | ls -ld /usr/sbin 281 | ls -ld /usr/lib 282 | ls -ld /var 283 | ls -ld /var/run 284 | ls -ld /var/lib 285 | # list free memory, Swap too large 286 | # or no Swap with little to no free memory is a red flag 287 | free -k 288 | # list load averages 289 | # divide the first load number with the number of cores 290 | # above 1.0 indicates slower responsiveness 291 | # an overloaded machine might not be able to process 292 | # the ssh connection before timeout 293 | /usr/bin/uptime 294 | echo 295 | fi; 296 | echo $SKIP | grep -qw "usersec" 297 | if [ $? = 1 ]; then 298 | echo '### Users and security' 299 | # list md5sum of manage_accounts.py match it with another system 300 | # to verify the integrity of the file 301 | md5sum /usr/share/google/google_daemon/manage_accounts.py 302 | # check if manage_accounts.py is in the memory 303 | ps -C manage_accounts.py -C startpar uw 304 | # check sudoers integrity 305 | /usr/sbin/visudo -c 306 | # inspect the authorized users and groups 307 | cat /etc/sudoers | egrep -v '^#|^$' 308 | # list SE linux configuration to see any prohibiting rules 309 | cat /etc/selinux/semanage.conf | egrep -v '^#|^$' 310 | # list failed login attempts for valid users 311 | if [ -f /usr/bin/faillog ]; then 312 | /usr/bin/faillog -a -u ${l##UID_MIN}-$(echo ${l1##UID_MAX}) | grep -v '^$' 313 | fi; 314 | 315 | fi; 316 | # run a traceroute to an NTP server to check for connectivity to the 317 | # outside world, this expected to finish in < 30 hops and < 1000 ms 318 | # this test is without name resolution in case that is broken, you 319 | # can use whois to check at which hop does the packet leave the Google network 320 | # this should be in the network section however since it takes a while 321 | # it is started in the background, the output however gets scattered otherwise 322 | # ie. if it is an earlier command 323 | echo $SKIP | grep -qw "traceroute" 324 | if [ $? = 1 ]; then 325 | ${TRACEROUTE} -n au.pool.ntp.org 326 | echo 327 | fi; 328 | rm -rf ${TMP} 329 | echo "### == DONE ==" 330 | -------------------------------------------------------------------------------- /gee_sample_log.txt: -------------------------------------------------------------------------------- 1 | :echo ####### GEE ######### 2 | ####### GEE ######### 3 | :grep -qw network 4 | :echo 5 | :[ 1 = 1 ] 6 | :echo ### Network 7 | ### Network 8 | :/sbin/ifconfig 9 | eth0 Link encap:Ethernet HWaddr 42:01:0a:f0:6c:93 10 | inet addr:10.240.108.147 Bcast:10.240.108.147 Mask:255.255.255.255 11 | UP BROADCAST RUNNING MULTICAST MTU:1460 Metric:1 12 | RX packets:379684 errors:0 dropped:0 overruns:0 frame:0 13 | TX packets:352264 errors:0 dropped:0 overruns:0 carrier:0 14 | collisions:0 txqueuelen:1000 15 | RX bytes:94410397 (90.0 MiB) TX bytes:52994414 (50.5 MiB) 16 | 17 | lo Link encap:Local Loopback 18 | inet addr:127.0.0.1 Mask:255.0.0.0 19 | UP LOOPBACK RUNNING MTU:16436 Metric:1 20 | RX packets:4023 errors:0 dropped:0 overruns:0 frame:0 21 | TX packets:4023 errors:0 dropped:0 overruns:0 carrier:0 22 | collisions:0 txqueuelen:0 23 | RX bytes:700351 (683.9 KiB) TX bytes:700351 (683.9 KiB) 24 | 25 | :cat /etc/resolv.conf 26 | domain c.slatch.google.com.internal. 27 | search c.slatch.google.com.internal. 70795436982.google.internal. google.internal. 28 | nameserver 169.254.169.254 29 | nameserver 10.240.0.1 30 | :egrep -v Generated|Completed 31 | :/sbin/iptables-save 32 | :/bin/netstat -rn 33 | Kernel IP routing table 34 | Destination Gateway Genmask Flags MSS Window irtt Iface 35 | 0.0.0.0 10.240.0.1 0.0.0.0 UG 0 0 0 eth0 36 | 10.240.0.1 0.0.0.0 255.255.255.255 UH 0 0 0 eth0 37 | :grep -v ^# 38 | :cat /etc/hosts.deny 39 | 40 | :echo 41 | 42 | :echo ### SSH and meta server reach 43 | ### SSH and meta server reach 44 | :md5sum /usr/bin/ssh 45 | 50226273f654d7a2d7b38a0b0c09def4 /usr/bin/ssh 46 | :/usr/bin/env python 47 | :cat 48 | tcp port 22 connected: SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u1 49 | metaserver 169.254.169.254:80 connected 50 | :egrep sshd|:22|PID 51 | :/bin/netstat -lntpA inet 52 | Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name 53 | tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1942/sshd 54 | :echo 55 | 56 | :grep -qw metadata 57 | :echo 58 | :[ 1 = 1 ] 59 | :echo ### Authorized meta 60 | ### Authorized meta 61 | :META1=/root/tmp-gee-769220.82768633.33139/authkeys1 62 | :META2=/root/tmp-gee-769220.82768633.33139/authkeys2 63 | :/usr/bin/curl -Sso /root/tmp-gee-769220.82768633.33139/authkeys1 http://metadata.google.internal/0.1/meta-data/authorized-keys 64 | :/usr/sbin/traceroute apis.google.com 65 | :cat /root/tmp-gee-769220.82768633.33139/authkeys1 66 | sub:ssh-dss AAAAB3NzaC1kc3MAAACBAPdA2F/tW8wzenZ+NblZYfzrYvclp1HsDbESaQH0KKJt0Yy8kteYQL/aKrcC3VXJgBA4+oYvcnWs1jKtCEUmN81I/zVk3+5U6LyzfrgnB+bqCZ1FPQSt6ryDu7eLnGOpb00IjzN/Y5qcCbS7zd2UXUkpDw5l1HU+crjZ6fn3wRHDAAAAFQDvWwYYyxWicTuQEd9FL4LdbbcVfwAAAIEAhVwKn47oitWV1bXmfiklKeCAkRcc5GeHijgSeviAY70eYOTAgfyLdPmgfVDDuk2RgqK3WSWA/PZf2EnOeItGkK5qn9u1x/oTbiwNrkR0lOvi7OEBdf1M8bYrOTLdpO76ibjmZqN2DRTxkRIExmLdiDF51hY04DzUr8Pex7j/y34AAACBAJsyCZrEwIbzoFlRleslAtT+GTA5uwVI7s0sPsCGpfai7TAC8LQpDBfQ0pPqER/4ESoBWfpvro1Qn06tdWWMEmwbLuBR8tIJ01IUoG/gsmLoWJg+KP72vOFc/prhqlml/5SxOeChSFr/5lbVwnSGo9k76NzJvugNhV8n82LrOFHi sub@submonster.syd.corp.google.com 67 | sub:ssh-dss AAAAB3NzaC1kc3MAAACBAKsz6bl0g0saiRE7dph1nCAqsA2GlyLP5a5UyvUs8PXdMsbi397Xnn+rUghPwKvVHrs0L0q1see3TnykU90C0CSInYFqz87SlbpNFgLJQdqTJ860huJ9J2clFL4ka73MfNrMeX9NSR2aydQRcD3ZxNfGdxYv5hybFo3OWtVVrB2jAAAAFQDwBhWUWbT/GrHRabgIW4Zx1XkrcQAAAIAtr0L0nn/cV1FomN+P09w+8aBvbIXNwzs4wabktMMXu33Jgw7x0uoH6bEfZ3VX8MR9c+OI6ZN6ihNaJytopEswEYV2OWjMoUxhulOeDtUGQvO+VvrHxwj0M+vnPX25EKZWjaXYwlGVZ6InCv+bsdAQZoIAyF3QAZqN3qcT2FIo1AAAAIBF5oJkklUY/98/yTjReQU/14VTVW8JDIUZGfuSoaGQg7b2wlbpnHI0M55GUqN+0HXMhX9VJj6sr1hF2nDu6UidPnFN5JMQ3S4QnTneC+EdRtYSgtGy1kN3aW3+TebtB+hYIi0LvS3BsVdV58LRJceo8qdaspMWRN6EtZGFoHyRZw== sub@MacBook 68 | cpst:ssh-dss AAAAB3NzaC1kc3MAAACBANxbfEu7y95ogB2UuPAoNJRoavIU2hgQsny8l575436hQemxxTf5VkBGvvTQakWAaIh0pkw3DbDL4dZcTqzFaWoa1aHc+pU0AZ+1NbOoVwANAgupzrzMbuGEpJhKgN90aXUo5WTOpylD+v/F3+4PeyEZQH3vmSO+fA3aZ1dl88TlAAAAFQC2NzobfuXQRDFWlHjqS3ZEdNHoYwAAAIAOW25dGH/K3wDvga1laJGah34AURV8jmjdAybjEIgJBiSmCxhLa69SoSIl6lQ4/duqKDzsO80LyEogudY7GIto3DCtxhIJlFQHXx6JL2X13zKnewS+AzjiS+wwSk9yrSfCCRHtNg9H73ZDZ96oRSE52l13TiB8T+Qu+QzBps8E/wAAAIBp+G7HKBtw0s/XvYc3QDdQ4tLgcqr0UYJ2v+TIQlCVrP0IjUZYhedK64CBFLAGOuHTNGeBZNhMvNb1Maz0dLee5O5u+OHXU3H4acJJR1wl6qfdo8YVj8RfouREY69B6XdzYcGEDbH6NKgqZ72zauvBtY7TNwFepNyIad2ce648cA== cloud-platform-support-team@google 69 | sub:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDazHNtoDWVgZYXk88vuDyHeDOjcOCsFdko8UGpBp5pOaR9K1BcaSuPrXKzkxR3eYQb2BVQDXCv4CAEBseLX+r9a5I0nL/HqlOZPCKnMWVtS2dBeq6OdiYUiqK5X+/YOv9pP30mfdAOQYXAOenWlWBIdXt4XwekyzySWUF6k+8LOmh1GCtH0mjBuKnJiSFPAmGevMIROMkjTGlpeaIC2etS6Khx8wd8YruYrc35TaGeRIvpaVhu108ZS8ycsAMAzurxOxLOCp0/GBF5Gq96uRxShQxrxmtczubwIW8CDY5FZOzKkm4HLNuW5Ya1XJdBovjPvoASmQx/vSiXeubzggg9 sub@submonster.syd.corp.google.com 70 | sub:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1toVYw4j6HnLvNE/gcAt1BHYAt2IAMXI2D6HYY07WEUGfClV/fF6CKStN0konpx3W9pbWncRUizkxmXrodZEEeLCag/YmeTICe7ol1KnJEzt+gSP+nMCGIYl0c5coj1Pv+ntYMR0B6WIFqPkEHNx4SHWx8TNG357IXBqgG5bs1Ppvhs4dOM85E4VfnobkUKKt5MO9jVgJO/n0ddrLopGwYgs3bWYYN8hy+97xlO3Kt5zlQ4MeiJ4i3ocYqu3hQCKAJjMH6v629fq8/CzVZdKMc6MmgDPOmGaIZ35D8QH70G70pc5guXiD05tFGt0/rgTzHJPnDbBUvHTH1x/HSVID sub@submonster.syd.corp.google.com 71 | sub:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDHRPNem7DE56KHVt/h3p6l6vY/IH9IT7GpVPIRgoV/IFnJcZDdEIYsNdW8QML74Yrv0QIM53HHZP/dX1D4vyC7O2df1IeW5d45N6tcmc7Hh0qIoY9wAAqrdiGr84MRZAlnccEWuenvqjuKQEuC5ASBbH2Mr7HWjMKqvMm6cQ2zvpSESRfOn/ONeGFmlAu5jSDWd7bUnTLwUlSBK7OMICeTV2c29H8we49L/ToT8EKk/IJ8e/IbMGS1ZCwiFnbOzNSF8CQ8w+MP8pP0m7f9t8iA3pcJz30H6OkIY39rt8vvzp8WqjSrVvuXg870SfdpNYl/czCvax7bjw/JyZqlG1P1 sub@parker 72 | sub:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC4fi/tvPJpXCGLZmyYS1PyB+Re6kx7gO/zwNS5BiC977TyY3uz+wF1VKceuOdBIul2H3hWvxl1Iomxh4QOvRTgwJrp9tZP09dE5pehqL4hQNQQFVwP323hLcN3eYWNXzucnutlBTdHD/ol9ofyKzKtjkj8zP4CJ3OUhDhFiwR16VLjPT5FmREd5wS9VFAyDuyYZTcYLJbgZyOqR/jRBFjHdjpO/0IdKWDuz47mtiZo/nR/bUJEGLmru6PHTIYcMGlwXn/egNLYJGqArCuyd8zHy6raLzWDECUcp6eOkIWVK08LUcNiP+uTfKGB4x5oycH76VHlc0iGzbKxGwCa/2kT sub@nami.local 73 | ricc:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDNDHuxo2XOtqOfjYj/9uBwLqCztqimn3F/wioLfts0fip9LbHGX7Ahzm8sS/C2dxpSkmtRxOeqRirbPycTHYBRTRm+pF1jIETYA70+lsNZNRAJzBlaSJidfPyPiRixKZVcg23Tv8ZnvKGMiC15dQQgVW2xBcu6CVHUziKKZMvsmp86EvRa2PH2NdCywL5AYgbdETdpWFUbXm0OWcbzHrsr6CS9bv/+i6Gvs4Rthi2F+7HNEqdPHbrRHs7rfSzOz6sfbO5mUSTRIvOVpMQmxcW2YZ3oKjXNE1ES5w1XtqBahMpXgH+rFk2H5BZjN21jp1U9GIWLITHf8hIbsDQaJGlr ricc@derek.dub.corp.google.com 74 | josselinc:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCiHJ/i1Ny2bIc5znUuArn5uFQ7ARGMbyflsx5TkiDyAa2L5LwWA8CgZ4/ARMxjQT8Eg0eCrQbcuXhNtWovWUq7KjjJcR/uSVHGiKS3gkpp7yv+h9xl8D9gAK3vAwEjCkD9jhp4SihJfXiG7OHppimCQsecaqK8hfDy1JVjiPjRCi62TKtrij0IMnQDyWwVt1/2TWcpwLWTzuk6AHbMaDI/W58M2XdpTwCIXJkr4fziVI9VnGtjVSRZ7WfoZgJIbciZn6YE1NPewdPXOGIEjZdZdQB6vzVRyFyiRgq5bd5Y8timxanYZFzjgN7gepw3Pnt4lMHI5ZGJXKrlNsVQCJKv josselinc@josselinc-m91-l.syd.corp.google.com 75 | josselinc:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDnpaDwdtCi5A4nIZfYKDEnIGw1xvF6p/x5X3YcYohwdYaesFSB5rhKsZCj0ZHGOG20/bfiSwzpBDlCfNZtIgspUG9VaBMi85UEzzhB1np3KMR8wpYRFPjJ5PVAXH5dRKe7Yx39I1EcijCMn3H/unf814lTvwFVcNRVusaSUZYmngHJSfX0raGXoCWR6EjS71+bN4F5iY45npfQJimqJu/meeB7YKdeWQr+j9hO7tuMTlC2ft5XQNWW+a4Cjdlnyhfxkiq0O75q/cPAHhJMu/2YnY96Z4JUtbKsvkkOejFh/fUeG25OXLR+/4aQevjwPZGKoUQTwJ8CMXY8nEJrDSe3 josselinc@hs-ghfs-nn 76 | sub:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDc2TMs9h2c9EZAdroC/CI6yuKCP4tcIAt1aIa6JAed9tAjNhPK3srbl8GPsP8xO+AkzPqwLHdaaCTmky109Uqm0fKWy69hU5LZ7c3CeERnNUGW8tQMnHWDcGISJFtxahRTpTW3iluTEhGuqbKRY/X8bR3MKE2LIOS7MgbQCzkjU1FnFqTFnrPokT/WALDQEj496yoSbqi5Z22sWSH5PJbFykfrfdfUvfy1wfpvvKaXR0D2Sxfvrq2B9EE4QWM7E2NpwcpGhfwLIzx8PdVSPhuULHEzOGPo5HpaTFTWxhAO+eU44ugKuxgVpM0ZwqOW0i98Z07iRL8GVgbvebf345V1 sub@nami.roam.corp.google.com 77 | gceadmin:ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEA0sPvvbcgltS874ky5iheOC0fcexmrLEFFX3vfBYi3qzAD4hkFpk2K/UK9sCYNB9RObkZrHcKGBL2eNjLM1Hi7K8/MtCVqrsF5MdpDj3+UVNVcMsQVQvTiqU9K5DLEeFYmM+soSTzpiCTc9ch5pLjGTgC/wztAW1MSRBwwqpowg00YzKkiw5LY/FA3icUXl7Avq6M8hOpIZpTpOasprGVg675j0NazidFv2/lHsPWPmMkdi7A2/7dfU1yW1IWsjKiJ8tNfFAY/2u9qP7/2xQwUvNIKlWARiFN6OMZqIG0LmEe53uKXXWagtbh8GnoDp03dbbZR9H5JOk89XJAo4HHCw== gceadmin@SOURCE-WINDOWS 78 | gceadmin:ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAqzVD4ySo+S3sFH8CA1/bAPoUMgGqHn5H7w5+IsvrPVCWah+uadS8t70DZFF7eNcSJI4pB1wXSaLe4z+i+4oRHhtTleBRHWLT8vZ0IBq+nFEABZd+RGLZcSedOlisNWW7YAR7EqEotI5UPvvmrWaaUQAip5FQeA/CTaI7Rrz8D51xm6lFa7Bq5Gmb4pGZ3kKtrklXqdftH/RUgYG8wobvZn/+5ex0PjVfvW3QhRMHtbcm0B1NU0PzOvKPuxMXTOrUvCYPoFx9X2bEVHAMe0/Z/t9DIgqjabx1syz8JxtPeXlTAjEK1+KRiGrzmyC9wsceUwSAVrfGySp+Nn0tdagPDw== gceadmin@SOURCE-WINDOWS 79 | :/usr/share/google/get_metadata_value authorized_keys 80 | traceroute to apis.google.com (173.194.66.138), 30 hops max, 60 byte packets :/usr/bin/diff -su /root/tmp-gee-769220.82768633.33139/authkeys1 /root/tmp-gee-769220.82768633.33139/authkeys2 81 | Files /root/tmp-gee-769220.82768633.33139/authkeys1 and /root/tmp-gee-769220.82768633.33139/authkeys2 are identical 82 | :rm -f /root/tmp-gee-769220.82768633.33139/authkeys1 /root/tmp-gee-769220.82768633.33139/authkeys2 83 | :grep -qw authkeys 84 | :echo 85 | :[ 1 = 1 ] 86 | :echo ### Authorized keys 87 | ### Authorized keys 88 | :grep ^UID_MIN /etc/login.defs 89 | :l=UID_MIN 1000 90 | :grep ^UID_MAX /etc/login.defs 91 | :l1=UID_MAX 60000 92 | :cut -d : -f 6 93 | :awk -F: -v min= 1000 -v max= 60000 { if ( $3 >= min && $3 <= max ) print $0} /etc/passwd 94 | :HOMEDIRS=/home/cpst 95 | /home/josselinc 96 | /home/sub 97 | /home/ricc 98 | /home/gceadmin 99 | :read homedir 100 | :echo /home/cpst 101 | /home/josselinc 102 | /home/sub 103 | /home/ricc 104 | /home/gceadmin 105 | :ssh-keygen -lf /home/cpst/.ssh/authorized_keys 106 | 1024 ed:f2:bd:d9:02:b0:32:b9:2b:36:e8:ea:84:04:14:c4 cloud-platform-support-team@google (DSA) 107 | :[ -f /home/cpst/.ssh/authorized_keys2 ] 108 | :read homedir 109 | :ssh-keygen -lf /home/josselinc/.ssh/authorized_keys 110 | 2048 60:cd:44:b4:67:d0:7f:b6:04:b0:37:88:28:ba:4e:fc josselinc@josselinc-m91-l.syd.corp.google.com (RSA) 111 | :[ -f /home/josselinc/.ssh/authorized_keys2 ] 112 | :read homedir 113 | :ssh-keygen -lf /home/sub/.ssh/authorized_keys 114 | 1024 41:0f:37:2a:4c:83:fd:c6:09:e2:e0:1f:b5:b6:8f:1c sub@submonster.syd.corp.google.com (DSA) 115 | :[ -f /home/sub/.ssh/authorized_keys2 ] 116 | :read homedir 117 | :ssh-keygen -lf /home/ricc/.ssh/authorized_keys 118 | 2048 04:6e:2c:6d:34:f7:30:89:21:c6:3c:a3:a0:d4:3f:31 ricc@derek.dub.corp.google.com (RSA) 119 | :[ -f /home/ricc/.ssh/authorized_keys2 ] 120 | :read homedir 121 | :ssh-keygen -lf /home/gceadmin/.ssh/authorized_keys 122 | 2048 48:d5:a3:e7:bb:66:2c:41:3a:14:ed:39:61:01:08:ec gceadmin@SOURCE-WINDOWS (RSA) 123 | :[ -f /home/gceadmin/.ssh/authorized_keys2 ] 124 | :read homedir 125 | :grep -qw sshdconf 126 | :echo 127 | :[ 1 = 1 ] 128 | :echo /etc/ssh/sshd_config 129 | /etc/ssh/sshd_config 130 | :grep -v PasswordAuthentication 131 | :grep -v PermitRootLogin 132 | :grep -v Port 133 | :egrep -v ^#|^$ /etc/ssh/sshd_config 134 | :cat 135 | :SSHD_OPTIONS=-d -f /root/tmp-gee-769220.82768633.33139/ssh/sshd_config -o 'AuthorizedKeysFile /root/tmp-gee-769220.82768633.33139/ssh/authorized_keys' 136 | :grep -qw sshd 137 | :echo 138 | :[ 1 = 1 ] 139 | :ls -ldZ /root/.ssh 140 | drwx------ 2 root root ? 4096 Jun 25 10:50 /root/.ssh 141 | :ls -lZ /root/.ssh 142 | :grep -v debug1: rexec_argv 143 | :xargs timeout 5m /usr/sbin/sshd 144 | :echo -d -f /root/tmp-gee-769220.82768633.33139/ssh/sshd_config -o 'AuthorizedKeysFile /root/tmp-gee-769220.82768633.33139/ssh/authorized_keys' 145 | total 8 146 | -rw-r--r-- 1 root root ? 1 Jun 25 10:50 authorized_keys2 147 | -rw-r--r-- 1 root root ? 222 Jun 24 13:45 known_hosts 148 | :KEY=/root/tmp-gee-769220.82768633.33139/ssh/test-key 149 | :ssh-keygen -q -f /root/tmp-gee-769220.82768633.33139/ssh/test-key -N -t dsa -V +2m 150 | 151 | 1 we-in-f138.1e100.net (173.194.66.138) 2.358 ms 2.334 ms 2.324 ms 152 | :echo -e \n\n 153 | :echo -n from="127.0.0.1",command="/bin/echo" 154 | :cat /root/tmp-gee-769220.82768633.33139/ssh/test-key.pub 155 | :chmod 0600 /root/tmp-gee-769220.82768633.33139/ssh/authorized_keys 156 | :ssh -v -p 3562 -i /root/tmp-gee-769220.82768633.33139/ssh/test-key -o StrictHostKeyChecking=no localhost echo 2>&1 157 | OpenSSH_6.0p1 Debian-4+deb7u1, OpenSSL 1.0.1e 11 Feb 2013 158 | debug1: Reading configuration data /etc/ssh/ssh_config 159 | debug1: /etc/ssh/ssh_config line 19: Applying options for * 160 | debug1: Connecting to localhost [127.0.0.1] port 3562. 161 | debug1: Connection established. 162 | debug1: permanently_set_uid: 0/0 163 | debug1: identity file /root/tmp-gee-769220.82768633.33139/ssh/test-key type 2 164 | debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-1024 165 | debug1: Checking blacklist file /etc/ssh/blacklist.DSA-1024 166 | debug1: identity file /root/tmp-gee-769220.82768633.33139/ssh/test-key-cert type -1 167 | debug1: Remote protocol version 2.0, remote software version OpenSSH_6.0p1 Debian-4+deb7u1 168 | debug1: match: OpenSSH_6.0p1 Debian-4+deb7u1 pat OpenSSH* 169 | debug1: Enabling compatibility mode for protocol 2.0 170 | debug1: Local version string SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u1 171 | debug1: SSH2_MSG_KEXINIT sent 172 | debug1: SSH2_MSG_KEXINIT received 173 | debug1: kex: server->client aes128-ctr hmac-md5 none 174 | debug1: kex: client->server aes128-ctr hmac-md5 none 175 | debug1: sending SSH2_MSG_KEX_ECDH_INIT 176 | debug1: expecting SSH2_MSG_KEX_ECDH_REPLY 177 | debug1: Server host key: ECDSA 05:10:20:80:be:f8:4d:e5:3a:67:8c:49:d6:44:65:e8 178 | debug1: Host '[localhost]:3562' is known and matches the ECDSA host key. 179 | debug1: Found key in /root/.ssh/known_hosts:1 180 | debug1: ssh_ecdsa_verify: signature correct 181 | debug1: SSH2_MSG_NEWKEYS sent 182 | debug1: expecting SSH2_MSG_NEWKEYS 183 | debug1: SSH2_MSG_NEWKEYS received 184 | debug1: Roaming not allowed by server 185 | debug1: SSH2_MSG_SERVICE_REQUEST sent 186 | debug1: SSH2_MSG_SERVICE_ACCEPT received 187 | debug1: Authentications that can continue: publickey 188 | debug1: Next authentication method: publickey 189 | debug1: Offering DSA public key: /root/tmp-gee-769220.82768633.33139/ssh/test-key 190 | debug1: Server accepts key: pkalg ssh-dss blen 433 191 | debug1: read PEM private key done: type DSA 192 | debug1: Authentication succeeded (publickey). 193 | Authenticated to localhost ([127.0.0.1]:3562). 194 | debug1: channel 0: new [client-session] 195 | debug1: Requesting no-more-sessions@openssh.com 196 | debug1: Entering interactive session. 197 | debug1: sshd version OpenSSH_6.0p1 Debian-4+deb7u1 198 | debug1: read PEM private key done: type RSA 199 | debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048 200 | debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048 201 | debug1: private host key: #0 type 1 RSA 202 | debug1: read PEM private key done: type DSA 203 | debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-1024 204 | debug1: Checking blacklist file /etc/ssh/blacklist.DSA-1024 205 | debug1: private host key: #1 type 2 DSA 206 | debug1: read PEM private key done: type ECDSA 207 | debug1: Checking blacklist file /usr/share/ssh/blacklist.ECDSA-256 208 | debug1: Checking blacklist file /etc/ssh/blacklist.ECDSA-256 209 | debug1: private host key: #2 type 3 ECDSA 210 | Set /proc/self/oom_score_adj from -1000 to -1000 211 | debug1: Bind to port 3562 on 0.0.0.0. 212 | Server listening on 0.0.0.0 port 3562. 213 | debug1: Bind to port 3562 on ::. 214 | Server listening on :: port 3562. 215 | debug1: Server will not fork when running in debugging mode. 216 | debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8 217 | debug1: inetd sockets after dupping: 3, 3 218 | Connection from 127.0.0.1 port 41596 219 | debug1: Client protocol version 2.0; client software version OpenSSH_6.0p1 Debian-4+deb7u1 220 | debug1: match: OpenSSH_6.0p1 Debian-4+deb7u1 pat OpenSSH* 221 | debug1: Enabling compatibility mode for protocol 2.0 222 | debug1: Local version string SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u1 223 | debug1: permanently_set_uid: 102/65534 [preauth] 224 | debug1: list_hostkey_types: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256 [preauth] 225 | debug1: SSH2_MSG_KEXINIT sent [preauth] 226 | debug1: SSH2_MSG_KEXINIT received [preauth] 227 | debug1: kex: client->server aes128-ctr hmac-md5 none [preauth] 228 | debug1: kex: server->client aes128-ctr hmac-md5 none [preauth] 229 | debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth] 230 | debug1: SSH2_MSG_NEWKEYS sent [preauth] 231 | debug1: expecting SSH2_MSG_NEWKEYS [preauth] 232 | debug1: SSH2_MSG_NEWKEYS received [preauth] 233 | debug1: KEX done [preauth] 234 | debug1: userauth-request for user root service ssh-connection method none [preauth] 235 | debug1: attempt 0 failures 0 [preauth] 236 | debug1: user root matched 'User root' at line 31 237 | debug1: connection from 127.0.0.1 matched 'Address 127.0.0.1' at line 31 238 | debug1: PAM: initializing for "root" 239 | debug1: PAM: setting PAM_RHOST to "127.0.0.1" 240 | debug1: PAM: setting PAM_TTY to "ssh" 241 | debug1: userauth-request for user root service ssh-connection method publickey [preauth] 242 | debug1: attempt 1 failures 0 [preauth] 243 | debug1: test whether pkalg/pkblob are acceptable [preauth] 244 | debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-1024 245 | debug1: Checking blacklist file /etc/ssh/blacklist.DSA-1024 246 | debug1: temporarily_use_uid: 0/0 (e=0/0) 247 | debug1: trying public key file /root/tmp-gee-769220.82768633.33139/ssh/authorized_keys 248 | debug1: fd 4 clearing O_NONBLOCK 249 | debug1: matching key found: file /root/tmp-gee-769220.82768633.33139/ssh/authorized_keys, line 1 250 | Found matching DSA key: 41:4d:9e:ee:6d:c3:ff:46:25:81:f0:14:e3:fc:e1:8a 251 | debug1: restore_uid: 0/0 252 | Postponed publickey for root from 127.0.0.1 port 41596 ssh2 [preauth] 253 | debug1: userauth-request for user root service ssh-connection method publickey [preauth] 254 | debug1: attempt 2 failures 0 [preauth] 255 | debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-1024 256 | debug1: Checking blacklist file /etc/ssh/blacklist.DSA-1024 257 | debug1: temporarily_use_uid: 0/0 (e=0/0) 258 | debug1: trying public key file /root/tmp-gee-769220.82768633.33139/ssh/authorized_keys 259 | debug1: fd 4 clearing O_NONBLOCK 260 | debug1: matching key found: file /root/tmp-gee-769220.82768633.33139/ssh/authorized_keys, line 1 261 | Found matching DSA key: 41:4d:9e:ee:6d:c3:ff:46:25:81:f0:14:e3:fc:e1:8a 262 | debug1: restore_uid: 0/0 263 | debug1: ssh_dss_verify: signature correct 264 | Root login accepted for forced command. 265 | debug1: do_pam_account: called 266 | Accepted publickey for root from 127.0.0.1 port 41596 ssh2 267 | Root login accepted for forced command. [preauth] 268 | debug1: monitor_read_log: child log fd closed 269 | debug1: monitor_child_preauth: root has been authenticated by privileged process 270 | debug1: PAM: establishing credentials 271 | debug1: Entering interactive session debug1: Remote: Forced command. 272 | debug1: Remote: Forced command. 273 | debug1: Sending environment. 274 | debug1: Sending command: echo 2>&1 275 | debug1: SELinux support disabled 276 | debug1: PAM: reinitializing credentials 277 | debug1: permanently_set_uid: 0/0 278 | Environment: 279 | USER=root 280 | LOGNAME=root 281 | HOME=/root 282 | PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/bin/X11 283 | MAIL=/var/mail/root 284 | SHELL=/bin/bash 285 | SSH_CLIENT=127.0.0.1 41596 3562 286 | SSH_CONNECTION=127.0.0.1 41596 127.0.0.1 3562 287 | SSH_ORIGINAL_COMMAND=echo 2>&1 288 | 289 | debug1: client_input_channel_req: channel 0 rtype exit-status reply 0 290 | debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0 291 | debug1: channel 0: free: client-session, nchannels 1 292 | debug1: fd 1 clearing O_NONBLOCK 293 | Transferred: sent 2728, received 2976 bytes, in 0.0 seconds 294 | Bytes per second: sent 67913.1, received 74087.0 295 | debug1: Exit status 0 296 | :echo >>> SSH localhost login succcess 297 | >>> SSH localhost login succcess 298 | :rm -f /root/tmp-gee-769220.82768633.33139/ssh/test-key /root/tmp-gee-769220.82768633.33139/ssh/test-key.pub 299 | for SSH2. 300 | debug1: server_init_dispatch_20 301 | debug1: server_input_channel_open: ctype session rchan 0 win 2097152 max 32768 302 | debug1: input_session_request 303 | debug1: channel 0: new [server-session] 304 | debug1: session_new: session 0 305 | debug1: session_open: channel 0 306 | debug1: session_open: session 0: link with channel 0 307 | debug1: server_input_channel_open: confirm session 308 | debug1: server_input_global_request: rtype no-more-sessions@openssh.com want_reply 0 309 | debug1: server_input_channel_req: channel 0 request exec reply 1 310 | debug1: session_by_channel: session 0 channel 0 311 | debug1: session_input_channel_req: session 0 req exec 312 | debug1: Forced command (config) '/bin/echo' 313 | debug1: Received SIGCHLD. 314 | debug1: session_by_pid: pid 12605 315 | debug1: session_exit_message: session 0 channel 0 pid 12605 316 | debug1: session_exit_message: release channel 0 317 | Received disconnect from 127.0.0.1: 11: disconnected by user 318 | debug1: do_cleanup 319 | debug1: PAM: cleanup 320 | debug1: PAM: closing session 321 | debug1: PAM: deleting credentials 322 | xargs: timeout: exited with status 255; aborting 323 | :rm -f /root/tmp-gee-769220.82768633.33139/ssh/sshd_config 324 | :rm -f /root/tmp-gee-769220.82768633.33139/ssh/authorized_keys 325 | :echo 326 | 327 | :grep -qw sys 328 | :echo 329 | :[ 1 = 1 ] 330 | :echo ### System, filesystem, memory 331 | ### System, filesystem, memory 332 | :[ -f /usr/bin/lsb_release ] 333 | :/usr/bin/lsb_release -a 334 | No LSB modules are available. 335 | Distributor ID: Debian 336 | Description: Debian GNU/Linux 7.5 (wheezy) 337 | Release: 7.5 338 | Codename: wheezy 339 | :/bin/uname -a 340 | Linux test1 3.2.0-4-amd64 #1 SMP Debian 3.2.57-3+deb7u2 x86_64 GNU/Linux 341 | :/bin/mount 342 | sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime) 343 | proc on /proc type proc (rw,nosuid,nodev,noexec,relatime) 344 | udev on /dev type devtmpfs (rw,relatime,size=10240k,nr_inodes=474010,mode=755) 345 | devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000) 346 | tmpfs on /run type tmpfs (rw,nosuid,noexec,relatime,size=380364k,mode=755) 347 | /dev/disk/by-uuid/db891c02-ae4f-4d0e-871d-1e86892fbb81 on / type ext4 (rw,relatime,user_xattr,barrier=0,data=ordered) 348 | tmpfs on /run/lock type tmpfs (rw,nosuid,nodev,noexec,relatime,size=5120k) 349 | tmpfs on /run/shm type tmpfs (rw,nosuid,nodev,noexec,relatime,size=760720k) 350 | :cat /etc/fstab 351 | # UNCONFIGURED FSTAB FOR BASE SYSTEM 352 | LABEL=/ / ext4 defaults,barrier=0 1 1 353 | :/bin/mount -fav 354 | :echo 355 | 356 | :/bin/df -l -x tmpfs -P 357 | Filesystem 1024-blocks Used Available Capacity Mounted on 358 | rootfs 10320184 835912 8960036 9% / 359 | udev 10240 0 10240 0% /dev 360 | /dev/disk/by-uuid/db891c02-ae4f-4d0e-871d-1e86892fbb81 10320184 835912 8960036 9% / 361 | :ls / 362 | authorized_keys 363 | bin 364 | boot 365 | dev 366 | etc 367 | home 368 | initrd.img 369 | lib 370 | lib64 371 | media 372 | mnt 373 | opt 374 | proc 375 | root 376 | run 377 | sbin 378 | selinux 379 | srv 380 | sys 381 | tmp 382 | usr 383 | var 384 | vmlinuz 385 | :free -k 386 | total used free shared buffers cached 387 | Mem: 3803636 536856 3266780 0 130252 304728 388 | -/+ buffers/cache: 101876 3701760 389 | Swap: 0 0 0 390 | :/usr/bin/uptime 391 | 09:53:27 up 8 days, 21:40, 1 user, load average: 0.05, 0.03, 0.05 392 | :echo 393 | 394 | :grep -qw usersec 395 | :echo 396 | :[ 1 = 1 ] 397 | :echo ### Users and security 398 | ### Users and security 399 | :md5sum /usr/share/google/google_daemon/manage_accounts.py 400 | 04273c8e606f249a72aa661235571429 /usr/share/google/google_daemon/manage_accounts.py 401 | :ps -C manage_accounts.py -C startpar uw 402 | USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND 403 | root 2056 0.0 0.0 4096 624 ? Ss Jun24 0:00 startpar -f -- google-accounts-manager 404 | root 2059 0.0 0.1 47160 7228 ? S Jun24 0:01 /usr/bin/python /usr/share/google/google_daemon/manage_accounts.py --daemon 405 | root 12511 0.0 0.2 47860 8648 ? S 09:50 0:00 /usr/bin/python /usr/share/google/google_daemon/manage_accounts.py --daemon 406 | :/usr/sbin/visudo -c 407 | /etc/sudoers: parsed OK 408 | /etc/sudoers.d/README: parsed OK 409 | :egrep -v ^#|^$ 410 | :cat /etc/selinux/semanage.conf 411 | module-store = direct 412 | :[ -f /usr/bin/faillog ] 413 | :grep -v ^$ 414 | :echo 60000 415 | :/usr/bin/faillog -a -u 1000-60000 416 | Login Failures Maximum Latest On 417 | cpst 0 0 01/01/70 00:00:00 +0000 418 | josselinc 0 0 01/01/70 00:00:00 +0000 419 | sub 0 0 01/01/70 00:00:00 +0000 420 | ricc 0 0 01/01/70 00:00:00 +0000 421 | gceadmin 0 0 01/01/70 00:00:00 +0000 422 | :[ 0 = 1 ] 423 | :grep -qw traceroute 424 | :echo 425 | :[ 1 = 1 ] 426 | :/usr/sbin/traceroute -n au.pool.ntp.org 427 | traceroute to au.pool.ntp.org (27.116.36.36), 30 hops max, 60 byte packets 428 | 1 216.239.47.86 1.434 ms 209.85.250.162 1.401 ms 1.157 ms 429 | 2 216.239.47.86 1.385 ms 209.85.248.100 342.027 ms 341.876 ms 430 | 3 209.85.250.162 1.124 ms 216.239.47.86 1.364 ms 209.85.250.162 1.360 ms 431 | 4 209.85.250.162 1.121 ms 209.85.248.70 345.069 ms 345.256 ms 432 | 5 209.85.248.100 342.322 ms 209.85.248.70 344.729 ms 345.521 ms 433 | 6 209.85.248.70 345.662 ms 209.85.250.162 0.810 ms 0.774 ms 434 | 7 216.239.47.86 0.774 ms 209.85.248.100 341.194 ms 216.239.47.86 0.900 ms 435 | 8 209.85.248.70 344.671 ms 216.239.47.86 0.766 ms 209.85.248.70 344.515 ms 436 | 9 72.14.238.17 6.557 ms 72.14.242.167 6.536 ms 72.14.238.17 6.352 ms 437 | 10 64.233.175.36 89.812 ms 64.233.175.38 89.166 ms 72.14.235.91 90.070 ms 438 | 11 72.14.235.12 89.374 ms 89.339 ms 66.249.95.229 90.071 ms 439 | 12 216.239.48.4 96.567 ms 72.14.238.88 96.730 ms 216.239.48.4 96.472 ms 440 | 13 72.14.239.81 207.465 ms 159.812 ms 72.14.239.83 159.545 ms 441 | 14 72.14.238.187 339.418 ms 339.517 ms 339.236 ms 442 | 15 66.249.95.233 341.471 ms 341.181 ms 66.249.95.235 338.130 ms 443 | 16 103.26.68.73 351.066 ms 351.440 ms 351.329 ms 444 | 17 * * * 445 | 18 * * * 446 | 19 * * * 447 | 20 * * * 448 | 21 * * * 449 | 22 * * * 450 | 23 * * * 451 | 24 * * * 452 | 25 * * * 453 | 26 * * * 454 | 27 * * * 455 | 28 * * * 456 | 29 * * * 457 | 30 * * * 458 | :echo 459 | 460 | :rm -rf /root/tmp-gee-769220.82768633.33139 461 | :echo ### == DONE == 462 | ### == DONE == 463 | --------------------------------------------------------------------------------