Just a quick post about a tool I’ve created recently.
One of the things I do in my day job is managing a fleet of few hundred of AWS EC2 nodes. Configuration is managed by Salt and in most cases we can safely forget about single machines.
Sometimes some unexpected stuff happens on one of the nodes and I have to SSH into it. Now, I usually get a report about machine X having some problems. I would happily SSH into X but we don’t expose SSH directly - I have to establish a VPN connection and then use X’s private IP address to log in. The value of X is just a hostname and it resolves to the public address.
How do I get from X to its private IP? One way would be to open AWS Console, look up X in its region and get the private IP from there (or use AWS API). This is really interruptive to the workflow and can get painful when you have to reach out to actually get the access to AWS Console/API (yes, corporate security is watching your tokens and your fingers typing the commands).
But X’s private IP rarely changes - I can just grab a list of all nodes once (using AWS API) and then just look up X there. Generating the list is fairly easy, now I just need something for lookup. Let’s use fuzzy search!
funsshLo and behold the funssh script (Fuzzy UNSecure SHell). The main part of the script are these two lines:
HOST=$(cat $FUNSSH_ROOT/* | fzf | awk '{print $1}')
...
$SSH_CMD $HOST $*
It looks for files with host lists in ~/.funssh directory. Each host is represented by a line, the first item is what SSH will use for connection, the rest is to ease the search (hostname, host IP addresses, etc.).
Internally it uses fzf which is a great fuzzy search utility.
Now I just have to grab a list of nodes I manage, format it nicely and put it in ~/.funssh.
Also on each run funssh will parse ~/.ssh/known_hosts and extract host information from there. That is what the inline AWK script (in AWK_PARSE_SSH_KNOWN_HOSTS var) is for.
You can find the script here in my Home Sweet Home repo.
funssh uses few options that will make SSH slightly less secure (-o UserKnownHostsFile=/dev/null -o CheckHostIP=no -o StrictHostKeyChecking=no). For example it will not check host’s fingerprint so is susceptible to Man-in-the-Middle Attack. It’s not an issue for me since I control the list of hosts and I establish connection withing the VPN.