 Extending
Your Admin Reach with Cellmate
John Ouellette
Cellmate extends the reach of systems administrators by enabling
them to control a Unix machine with a cell phone. The cell phone
simply needs to be able to send a text message to a standard SMTP
Internet address.
Cellmate was born out of frustration while I was on call in the
winter. I was really looking forward to going skiing but the mountain
was 3 hours away, and I really didn't have a decent way of connecting
through our corporate VPN without my laptop while on the slopes.
Also, if a real emergency were to require me to find a local coffee
shop with Internet access, I'd have to remove all my ski gear and
pretty much call it quits.
I was determined to find a way to execute a command remotely on
a server that I administer without needing a laptop or getting off
the mountain. I also didn't want to purchase a new cell phone, use
any special hardware, or use anything other than open source software,
because I wanted Cellmate to be accessible to everyone in my position.
My theory was that if I could send an email with a command to my
inbox, surely I could have that command run where I need it as if
I were there. Of course, this is entirely possible.
I didn't have control over my company's DNS or mail servers, and
the machines I administered in the DMZ had heavy restrictions on
them. Thus, modifying MX records or forwarding mail especially for
my application was not possible. However, internally I could surf
to any standard or secured (SSL) Web site, because port 80 and 443
were open. So all I needed to do was send an email from my cell
phone to my Yahoo! Web mail account and then have it downloaded
from an internal server automatically.
The Tools
After some research, I found my first open source tool used in
Cellmate -- Fetchyahoo -- which does exactly that. An important
security consideration in choosing Fetchyahoo was its ability to
login via SSL, which is its default mode of operation. Installation
of Fetchyahoo involves installing a handful of Perl modules and
comes with good documentation. Review the author's site listed in
the resources section for full details. The first script in use
for Cellmate is fetch_yahoo.sh, as shown in Listing 1.
Note that I delete all the mail after it is downloaded using the
--delete option and overwrite the current user's mailbox
with the --overwrite option to ensure commands are only processed
once. Finally, I only retrieve new mail, using the --newonly
option. Once I had my Web mail in my Unix inbox, I needed to extract
the emails sent from my cell phone. Some searching on sourceforge.net
led me to Grepmail, which is an open source project that, in the
words of the author, will "Search for emails in a normal or compressed
mailbox using a regular expression or date constraint". Listing
2 shows the syntax of Grepmail in action in the mail_from_yahoo.sh
script extracting email sent from the email address of the cell
phone.
Note that I delete $MAIL, again to avoid duplicate command
processing, so I would recommend creating a separate account just
for the purpose of running Cellmate. I also use the -H and
-B flags for Grepmail, which will print only short headers
and no email bodies, since I only care about the subject line of
the incoming email.
I had the Web mail downloaded locally into a file, I needed to
process it. I decided that the format of the email would come in
like this: Subject:cmd+command+optionalhost. I used the +
sign as a delimiter since I rarely use that character on the command
line.
The Cellmate Once Process
The email is put into one of two initial queues when it's processed,
using the queue.sh script (Listing 3). If the subject starts with
cmd+, the command is extracted from the subject line and
assigned a unique ID and a random five-digit password, using the
rand.pl script (Listing 4). If it starts with a number, it is placed
in the password queue (see Figure 1 for process flow).
All commands in the command queue are then sent back to the sending
cell phone device as an authorization step using send_pass.sh (Listing
5). The user then needs to reply to the email containing the ID
and password to the Web mail account.
Cellmate will download the new email and place it in the password
queue, as previously described. Cellmate then goes through each
queue using the process_queue.sh script (Listing 6) and if the password
and ID in the password queue exist and match the password and ID
in the command check queue, a few things will happen:
First, a filter is applied to the command and matched against
a white list of characters A-Z, 0-9, and space, using the filter.pl
script (Listing 7). This increases the security by denying all command
statements that have a semicolon, &&, and ||
in them. An intruder might try to place a rogue command directly
after an innocuous one using any of these characters. The shell
uses the semicolon as a statement separator and will execute a command
based on the success or failure of a previous command with &&
and ||, respectively.
Second, if a host has been specified in the subject of the email,
the command will be launched through an ssh session to the remote
host. If no host is defined the command is simply executed locally.
Finally the results are sent back to the defined cell phone recipient.
Cellmate Security
Note a few things about Cellmate's security. Anyone can forge
an email and pretend to be your cell phone's email address fairly
easily. However, only your cell phone can receive the reply to that
email and the one-time password sent to the device. The Achilles'
heel of Cellmate, thus, is the security of your wireless carrier.
The worst case would be the case of an intruder high-jacking your
cellular account and forwarding all text messages to his device
and replying with the appropriate password to the correct email
address. Of course, an easier task for an intruder would be to simply
steal your cell phone. However, as a counter to a brute force or
denial of service attack, Cellmate will stop processing after a
user-defined number of commands are in the queue; the default is
set to 10.
Security in Cellmate is on-going. The current version of Cellmate
supports an additional user-defined, three-digit code that the user
and Cellmate know about (listed in the process_queue.sh script).
The user will then need to append the code to password in the subject
line of the reply.
In this way, the password that satisfies the condition to execute
the command is only transferred once through the airwaves, creating
an additional layer of security, even if your cell phone were to
be stolen. Thus, the intruder would now also need to consistently
intercept all messages sent by your cell phone, in addition to receiving
all replies, or compromise your Web account to analyze the emails.
However, any application that is capable of bypassing firewalls
and executing arbitrary commands should be reviewed in light of
your local security team's policy before deploying.
Future Work
The future of Cellmate has wide-reaching possibilities. For example,
it is entirely possible to send sql commands to a database and have
it run remotely. This may come if handy if doing some light database
administration work.
Cellmate is released under the GPL and may be easily modified
to work with other Web-based mail systems, such as Gmail or Hotmail.
The key would be finding an application to download the mail for
you, and as of this writing there are many. I have submitted this
application to the open source community to expand the reach of
all systems administrators and extend their skiing trips while on
call.
Resources
Fetchyahoo -- http://fetchyahoo.sourceforge.net/
Grepmail -- http://grepmail.sourceforge.net/
Security issues in Perl scripts -- http://www.cgisecurity.com/lib/sips.html
John Ouellette is a Senior Unix Adminstrator who believes the
command line is king. He can be contacted at: john_ouellette@yahoo.com. |