From bryan@conserver.com Tue May 1 04:31:00 2001 Received: (from nobody@localhost) by underdog.stansell.org (8.11.3/8.11.3) id f41BV0R07353 for users@conserver.com; Tue, 1 May 2001 04:31:00 -0700 (PDT) From: Bryan Stansell To: users@conserver.com Subject: Re: Sun alternate break Message-ID: <988716659.3aee9e73deb03@www.stansell.org> Date: Tue, 01 May 2001 04:30:59 -0700 (PDT) References: <200104301445.PAA03297@mince.dcs.ed.ac.uk> In-Reply-To: <200104301445.PAA03297@mince.dcs.ed.ac.uk> MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 8bit User-Agent: IMP/PHP IMAP webmail program 2.2.0 X-Originating-IP: 159.134.156.59 Sender: users-admin@conserver.com Errors-To: users-admin@conserver.com X-BeenThere: users@conserver.com X-Mailman-Version: 2.0.3 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: Conserver Users List-Unsubscribe: , List-Archive: And one of the things I wanted to do was add an 'l2' escape sequence to send the ~^b bits for you - it was suggested by a guy at the LISA conference - good idea, no? The only trick is there's a bit of timing you have to get right - I think it's a 0.5 second delay between each character, otherwise it could be a random sequence coming over, say a modem (why put a modem on the console port - ugh, I can see it being done, but haven't ever done it) transfering a file. Anyway, you don't really want to "lock up" conserver for a second or so while it's waiting the prerequisite amount of time...and the sequence could be changed or different for another device ('l3', 'l4', etc) so a real multi-threaded or alarm-based or something method needs to be put together. In the mean time, just type it by hand. One of these days all these things will be in the code. Bryan Quoting Iain Rae : > any suns which are patched should ignore any breaks sent via the > conserver menu > ( l1) but will halt if you type ~^b (quickly)at the terminal session. So > you > can use it without changing conserver, you just have to remember ~^b. From Ernie.Oporto@viragelogic.com Tue May 1 09:32:39 2001 Received: from viragelogic.com ([209.101.115.247]) by underdog.stansell.org (8.11.3/8.11.3) with ESMTP id f41GWdN09326 for ; Tue, 1 May 2001 09:32:39 -0700 (PDT) Received: by viragelogic.com; id MAA20866; Tue, 1 May 2001 12:34:16 -0400 (EDT) Received: from nodnsquery(209.223.210.114) by webshield.viragelogic.com via smap (V1.0) id xma020846; Tue, 1 May 01 12:33:34 -0400 From: "Ernie Oporto" To: "Conserver-Users" Subject: checking passwords Date: Tue, 1 May 2001 12:32:28 -0400 Message-ID: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_0089_01C0D23A.C91A3D10" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal Sender: users-admin@conserver.com Errors-To: users-admin@conserver.com X-BeenThere: users@conserver.com X-Mailman-Version: 2.0.3 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: Conserver Users List-Unsubscribe: , List-Archive: This is a multi-part message in MIME format. ------=_NextPart_000_0089_01C0D23A.C91A3D10 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit I have a Red Hat 7.1 machine that seems like it is not really reading the conserver.passwd file to check users. I have placed my username and hash in that passwd file, which works on my machine running conserver, but not on my colleague's machine, set up just the same way. It seems to bring out that conserver is not checking the passwd file for fake usernames, since I have no user named cheeseblintzes. =) [root@racoon /root]# console -l eoporto pumpkin Enter eoporto's password: console: pumpkin: Sorry. [root@racoon /root]# console -l cheeseblintzes host console: console: server host not found [root@racoon /root]# console -l cheeseblintzes pumpkin Enter cheeseblintzes's password: console: pumpkin: Sorry. The log file claims it is a bad password... tail /var/log/conserver.log conserver: pumpkin: tamale@: bad passwd conserver: pumpkin: someone@: bad passwd conserver: pumpkin: cheeseblintzes@: bad passwd conserver: pumpkin: eoporto@: bad passwd ...yet that is the hash from my /etc/shadow file. Is there any way for conserve to set the initial password instead of doing the cut and paste? -- Ernest A. Oporto, Systems Administrator Virage Logic Corporation http://www.viragelogic.com Perryville Corporate Park, Bldg 3, Clinton, NJ 08809 Phone:(908)735-1932 Fax:(908)735-1999 mailto:Ernie.Oporto@viragelogic.com ------=_NextPart_000_0089_01C0D23A.C91A3D10 Content-Type: text/x-vcard; name="Ernie Oporto.vcf" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="Ernie Oporto.vcf" BEGIN:VCARD VERSION:2.1 N:Oporto;Ernie FN:Ernie Oporto EMAIL;PREF;INTERNET:eoporto@viragelogic.com REV:20000209T194835Z END:VCARD ------=_NextPart_000_0089_01C0D23A.C91A3D10-- From ChrisF@computone.com Tue May 1 12:23:01 2001 Received: from mustang.computone.com (mustang.computone.com [160.77.1.155]) by underdog.stansell.org (8.11.3/8.11.3) with ESMTP id f41JN1N10253 for ; Tue, 1 May 2001 12:23:01 -0700 (PDT) Received: by mustang.computone.com with Internet Mail Service (5.5.2650.21) id <2ZQ5M0JM>; Tue, 1 May 2001 15:27:48 -0400 Message-ID: <95B97DD42B78D31193A8005004D1E05C4138CD@mustang.computone.com> From: Chris Fowler To: "'Ernie Oporto'" , Conserver-Users Subject: RE: checking passwords Date: Tue, 1 May 2001 15:27:38 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0D274.CD775304" Sender: users-admin@conserver.com Errors-To: users-admin@conserver.com X-BeenThere: users@conserver.com X-Mailman-Version: 2.0.3 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: Conserver Users List-Unsubscribe: , List-Archive: This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0D274.CD775304 Content-Type: text/plain; charset="iso-8859-1" Actually I'm working on library functions that will manipulate the conserver.passwd file so that you no longer have to use vi to add users. Chris -----Original Message----- From: Ernie Oporto [mailto:Ernie.Oporto@viragelogic.com] Sent: Tuesday, May 01, 2001 12:32 PM To: Conserver-Users Subject: checking passwords I have a Red Hat 7.1 machine that seems like it is not really reading the conserver.passwd file to check users. I have placed my username and hash in that passwd file, which works on my machine running conserver, but not on my colleague's machine, set up just the same way. It seems to bring out that conserver is not checking the passwd file for fake usernames, since I have no user named cheeseblintzes. =) [root@racoon /root]# console -l eoporto pumpkin Enter eoporto's password: console: pumpkin: Sorry. [root@racoon /root]# console -l cheeseblintzes host console: console: server host not found [root@racoon /root]# console -l cheeseblintzes pumpkin Enter cheeseblintzes's password: console: pumpkin: Sorry. The log file claims it is a bad password... tail /var/log/conserver.log conserver: pumpkin: tamale@: bad passwd conserver: pumpkin: someone@: bad passwd conserver: pumpkin: cheeseblintzes@: bad passwd conserver: pumpkin: eoporto@: bad passwd ...yet that is the hash from my /etc/shadow file. Is there any way for conserve to set the initial password instead of doing the cut and paste? -- Ernest A. Oporto, Systems Administrator Virage Logic Corporation http://www.viragelogic.com Perryville Corporate Park, Bldg 3, Clinton, NJ 08809 Phone:(908)735-1932 Fax:(908)735-1999 mailto:Ernie.Oporto@viragelogic.com ------_=_NextPart_001_01C0D274.CD775304 Content-Type: text/html; charset="iso-8859-1" RE: checking passwords

Actually I'm working on library functions that will manipulate the conserver.passwd file so that you
no longer have to use vi to add users. 

Chris


-----Original Message-----
From: Ernie Oporto [mailto:Ernie.Oporto@viragelogic.com]
Sent: Tuesday, May 01, 2001 12:32 PM
To: Conserver-Users
Subject: checking passwords


I have a Red Hat 7.1 machine that seems like it is not really reading the
conserver.passwd file to check users.  I have placed my username and hash in
that passwd file, which works on my machine running conserver, but not on my
colleague's machine, set up just the same way.  It seems to bring out that
conserver is not checking the passwd file for fake usernames, since I have
no user named cheeseblintzes. =)

[root@racoon /root]# console -l eoporto pumpkin
Enter eoporto's password:
console: pumpkin: Sorry.
[root@racoon /root]# console -l cheeseblintzes host
console: console: server host not found
[root@racoon /root]# console -l cheeseblintzes pumpkin
Enter cheeseblintzes's password:
console: pumpkin: Sorry.

The log file claims it is a bad password...
tail /var/log/conserver.log
conserver: pumpkin: tamale@: bad passwd
conserver: pumpkin: someone@: bad passwd
conserver: pumpkin: cheeseblintzes@: bad passwd
conserver: pumpkin: eoporto@: bad passwd

...yet that is the hash from my /etc/shadow file.

Is there any way for conserve to set the initial password instead of doing
the cut and paste?

--
Ernest A. Oporto, Systems Administrator
Virage Logic Corporation
http://www.viragelogic.com
Perryville Corporate Park, Bldg 3, Clinton, NJ 08809
Phone:(908)735-1932   Fax:(908)735-1999
mailto:Ernie.Oporto@viragelogic.com

------_=_NextPart_001_01C0D274.CD775304-- From bryan@conserver.com Wed May 2 09:34:34 2001 Received: (from nobody@localhost) by underdog.stansell.org (8.11.3/8.11.3) id f42GYYi16212 for users@conserver.com; Wed, 2 May 2001 09:34:34 -0700 (PDT) From: Bryan Stansell To: users@conserver.com Subject: Re: checking passwords Message-ID: <988821274.3af0371a8627e@www.stansell.org> Date: Wed, 02 May 2001 09:34:34 -0700 (PDT) References: In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 8bit User-Agent: IMP/PHP IMAP webmail program 2.2.0 X-Originating-IP: 159.134.157.89 Sender: users-admin@conserver.com Errors-To: users-admin@conserver.com X-BeenThere: users@conserver.com X-Mailman-Version: 2.0.3 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: Conserver Users List-Unsubscribe: , List-Archive: Hmmm...I'm not exactly sure what's going on here, but you should be able to have the password be "*passwd*" instead of the hash and it will look up the password using library calls just like other apps...so, you just need to have user1:*passwd*:any user2:*passwd*:any user3:*passwd*:any and so on (user1 through user3 should be replaced with real names...other things are literal). I *think* that will fix the problem - or at least get around it. Sounds like there's probably something else going on as well. And, yes, if you put in a username and a has in the conserver.passwd file it will only use that and not check the real password file for being a valid user...that way you can set up a conserver host with a few admin accounts and a slew of conserver accounts so non-admins can access consoles. Anyway, if that helps at all, cool. If not, can you send some more info, like the exact setup of all things (linux, conserver, the conserver config files, etc)? A lot of info, I know, but I'm not sure what, exactly, the problem is - maybe I'm just being dense. Bryan Quoting Ernie Oporto : > I have a Red Hat 7.1 machine that seems like it is not really reading > the > conserver.passwd file to check users. I have placed my username and > hash in > that passwd file, which works on my machine running conserver, but not > on my > colleague's machine, set up just the same way. It seems to bring out > that > conserver is not checking the passwd file for fake usernames, since I > have > no user named cheeseblintzes. =) > > [root@racoon /root]# console -l eoporto pumpkin > Enter eoporto's password: > console: pumpkin: Sorry. > [root@racoon /root]# console -l cheeseblintzes host > console: console: server host not found > [root@racoon /root]# console -l cheeseblintzes pumpkin > Enter cheeseblintzes's password: > console: pumpkin: Sorry. > > The log file claims it is a bad password... > tail /var/log/conserver.log > conserver: pumpkin: tamale@: bad passwd > conserver: pumpkin: someone@: bad passwd > conserver: pumpkin: cheeseblintzes@: bad passwd > conserver: pumpkin: eoporto@: bad passwd > > ...yet that is the hash from my /etc/shadow file. > > Is there any way for conserve to set the initial password instead of > doing > the cut and paste? > > -- > Ernest A. Oporto, Systems Administrator > Virage Logic Corporation > http://www.viragelogic.com > Perryville Corporate Park, Bldg 3, Clinton, NJ 08809 > Phone:(908)735-1932 Fax:(908)735-1999 > mailto:Ernie.Oporto@viragelogic.com > From doug@gblx.net Wed May 2 09:47:04 2001 Received: from smtp1.phx.gblx.net (smtp1.phx.gblx.net [64.208.25.103]) by underdog.stansell.org (8.11.3/8.11.3) with ESMTP id f42Gl3N16347 for ; Wed, 2 May 2001 09:47:03 -0700 (PDT) Received: (from daemon@localhost) by smtp1.phx.gblx.net (8.11.2/8.11.2) id f42Gldo17431 for ; Wed, 2 May 2001 09:47:39 -0700 (MST) Received: from UNKNOWN(64.208.25.102), claiming to be "shell1.phx.gblx.net" via SMTP by smtp1, id smtpdAAAgGaG.H; Wed May 2 09:47:39 2001 Received: from localhost (doug@localhost) by shell1.phx.gblx.net (8.9.3+Sun/8.9.3) with ESMTP id JAA16072 for ; Wed, 2 May 2001 09:47:46 -0700 (MST) X-Authentication-Warning: shell1.phx.gblx.net: doug owned process doing -bs Date: Wed, 2 May 2001 09:47:46 -0700 (MST) From: Doug Hughes X-Sender: doug@shell1.phx.gblx.net To: users@conserver.com Subject: Re: checking passwords In-Reply-To: <988821274.3af0371a8627e@www.stansell.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: users-admin@conserver.com Errors-To: users-admin@conserver.com X-BeenThere: users@conserver.com X-Mailman-Version: 2.0.3 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: Conserver Users List-Unsubscribe: , List-Archive: I notice that client/server connects are done in the clear leaving passwords and commands in the clear. Is anybody currently working on integrating SSL or other encryption into the mix? Doug From iainr@dcs.ed.ac.uk Wed May 2 10:02:45 2001 Received: from muck.dcs.ed.ac.uk (muck.dcs.ed.ac.uk [129.215.216.15]) by underdog.stansell.org (8.11.3/8.11.3) with ESMTP id f42H2iN16487 for ; Wed, 2 May 2001 10:02:44 -0700 (PDT) Received: from mince.dcs.ed.ac.uk (root@mince.dcs.ed.ac.uk [129.215.58.141]) by muck.dcs.ed.ac.uk with ESMTP id SAA29231; Wed, 2 May 2001 18:03:26 +0100 (BST) Received: from mince.dcs.ed.ac.uk (IDENT:iainr@localhost [127.0.0.1]) by mince.dcs.ed.ac.uk (8.9.1/8.9.1) with ESMTP id SAA09663; Wed, 2 May 2001 18:03:26 +0100 Message-Id: <200105021703.SAA09663@mince.dcs.ed.ac.uk> X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 To: Doug Hughes cc: users@conserver.com, iainr@dcs.ed.ac.uk Subject: Re: checking passwords In-Reply-To: Message from Doug Hughes of "Wed, 02 May 2001 09:47:46 PDT." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 02 May 2001 18:03:26 +0100 From: Iain Rae Sender: users-admin@conserver.com Errors-To: users-admin@conserver.com X-BeenThere: users@conserver.com X-Mailman-Version: 2.0.3 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: Conserver Users List-Unsubscribe: , List-Archive: > > I notice that client/server connects are done in the clear > leaving passwords and commands in the clear. Is anybody currently > working on integrating SSL or other encryption into the mix? > Doug > > I'm tentatively looking at this (well, I've printed out some of the ssl docs and started reading up on ssl/tls) but I wouldn't exactly hold your breath :) ). Given that we (informatics) will be moving to a kerberos based system in the medium term pamifying console/conserver is on my list of things to do if no-one else does first. At the moment we are using a perl script to run ssh to the conserver pc and then run console on the loopback interface, but this get's information about which consoles are connected to which server via a metadatabase which is used to build the conserver.cf and conserver.passwd files so it's probably only a solution for us. If people want to see my horrible perl then I'll post it but it's basically search NIS maps to work out what to connect to system("/usr/bin/ssh","-t","$console_server","/usr/bin/console -M localhost $args") > _______________________________________________ > users mailing list > users@conserver.com > https://www.conserver.com/mailman/listinfo/users -- Iain Rae Tel:01316505202 Computing Officer JCMB:2148 Division of Informatics The University of Edinburgh From bryan@stansell.org Thu May 3 06:50:10 2001 Received: (from bryan@localhost) by underdog.stansell.org (8.11.3/8.11.3) id f43DoAA26136; Thu, 3 May 2001 06:50:10 -0700 (PDT) Date: Thu, 3 May 2001 06:50:10 -0700 From: Bryan Stansell To: announce@conserver.com, users@conserver.com Subject: conserver-7.0.1 released Message-ID: <20010503065010.A26051@underdog.stansell.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: users-admin@conserver.com Errors-To: users-admin@conserver.com X-BeenThere: users@conserver.com X-Mailman-Version: 2.0.3 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: Conserver Users List-Unsubscribe: , List-Archive: Again, it took longer for me to get this out than expected. Sorry folks. Good thing is compilation for *BSD type systems should be easier (FreeBSD for sure, hopefully OpenBSD, etc). Thanks to all those contributing patches. I have a couple others for 7.0.2, so if you don't see yours here, it should be in the next release. Oh, why did it take longer, you may ask? I'm travelling around Ireland and England. Spending a little quality time in an Internet Cafe allowed me to get this out the door. Fun, huh? ;-) version 7.0.1 (May 3, 2001): - 8bit on by default now (use --disable-8bit for old behavior) - FreeBSD patches by Bill Fenner (hopefully *BSD systems will compile cleaner now) - Bad error reporting on getsockopt() found by Bill Fenner - PID file patch by Martin Andrews Bryan Stansell From iainr@dcs.ed.ac.uk Fri May 11 02:50:55 2001 Received: from muck.dcs.ed.ac.uk (muck.dcs.ed.ac.uk [129.215.216.15]) by underdog.stansell.org (8.11.3/8.11.3) with ESMTP id f4B9orN18236 for ; Fri, 11 May 2001 02:50:54 -0700 (PDT) Received: from mince.dcs.ed.ac.uk (root@mince.dcs.ed.ac.uk [129.215.58.141]) by muck.dcs.ed.ac.uk with ESMTP id KAA26646 for ; Fri, 11 May 2001 10:51:51 +0100 (BST) Received: from mince.dcs.ed.ac.uk (IDENT:iainr@localhost [127.0.0.1]) by mince.dcs.ed.ac.uk (8.9.1/8.9.1) with ESMTP id KAA07829 for ; Fri, 11 May 2001 10:51:51 +0100 Message-Id: <200105110951.KAA07829@mince.dcs.ed.ac.uk> X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 To: users@conserver.com Subject: Authentication fun (revisited) Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 11 May 2001 10:51:50 +0100 From: Iain Rae Sender: users-admin@conserver.com Errors-To: users-admin@conserver.com X-BeenThere: users@conserver.com X-Mailman-Version: 2.0.3 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: Conserver Users List-Unsubscribe: , List-Archive: ... >No PAM support is in the code right now. It's something I'd love to >see added. Anything using PAM bits probably won't work...unless the >standard getpwnam() and crypt() functions magically call the >appropriate PAM routines. I did some digging. The PAM authentication mechanism basically consists of calling pam_start(const char *service_name, const char *user, const struct pam_conv *pam_conversation, pam_handle_t **pamh) and passing in the service name (to identify which of the rules in the pam configuration you should use) the username to be authenticated, a pointer to a structure containing a conversation function and some data and finally a handle to the pam session being used. you can then call a number of functions such as pam_authenticate or pam_acct_mgmt (assuming the user is authenticated what does he have access to). And you have to call pam_end to shut things down. If you are using standard pam modules the main chunk of code you have to write is the conversation function which handles interaction with the pam modules (it would normally ask for the users password or if you already have this it passes it on the to the PAM module). If you simply wanted to replace the code in CheckPass which compares the input password with the system password then I think this is fairly trivial (some #ifdefs, the system calls listed above and write one function which there are a couple of examples of floating around the net). This isn't really pamifying the app though, to do that properly you should really move the epass code into a module and there is more work involved however i suspect that in the long run it would make adding stuff like kerberos easier (for those that have pam). -- Iain Rae Tel:01316505202 Computing Officer JCMB:2148 Division of Informatics The University of Edinburgh From al@THEpal.com Wed May 16 15:51:14 2001 Received: from relay1.pair.com (relay1.pair.com [209.68.1.20]) by underdog.stansell.org (8.11.3/8.11.3) with SMTP id f4GMpDN25298 for ; Wed, 16 May 2001 15:51:13 -0700 (PDT) Received: (qmail 27824 invoked from network); 16 May 2001 22:50:12 -0000 Received: from cajun.corp.harris.com (HELO THEpal.com) (137.237.104.66) by relay1.pair.com with SMTP; 16 May 2001 22:50:12 -0000 X-pair-Authenticated: 137.237.104.66 Message-ID: <3B030448.6C88445B@THEpal.com> Date: Wed, 16 May 2001 18:50:48 -0400 From: Albert Etienne X-Mailer: Mozilla 4.75 [en] (X11; U; SunOS 5.6 sun4m) X-Accept-Language: en MIME-Version: 1.0 To: users@conserver.com Subject: different console names Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: users-admin@conserver.com Errors-To: users-admin@conserver.com X-BeenThere: users@conserver.com X-Mailman-Version: 2.0.3 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: Conserver Users List-Unsubscribe: , List-Archive: I am having trouble using different names for the same console on different console servers. Both machines are conserver.com version 7.0.1 host halibut: /etc/conserver.cf portserver:/dev/ttyb@rfcudev1:9600p:&: rfcuapp1:!rfcuapp1@rfcudev1:9600p:&: rfcudev1:!rfcudev1@rfcuapp1:9600p:&: host rfcudev1: /etc/conserver.cf portserver:/dev/ttyb:9600p:&: rfcudev1:!rfcudev1@rfcuapp1:9600p:&: rfcuapp1:!portserver:2003:&: works just fine. But when I change halibut /etc/conserver.cf to rfc-portserver:/dev/ttyb@rfcudev1:9600p:&: rfcuapp1:!rfcuapp1@rfcudev1:9600p:&: rfcudev1:!rfcudev1@rfcuapp1:9600p:&: I get: halibut# console rfc-portserver console: rfcudev1: server rfc-portserver not found halibut# console -v rfc-portserver console: rfcudev1: server rfc-portserver not found halibut# The same thing happens to the other lines if the names don't match. If I read the man page correctly, this should work. cheers, al From bryan@stansell.org Wed May 16 17:10:18 2001 Received: (from bryan@localhost) by underdog.stansell.org (8.11.3/8.11.3) id f4H0AIw25826 for users@conserver.com; Wed, 16 May 2001 17:10:18 -0700 (PDT) Date: Wed, 16 May 2001 17:10:18 -0700 From: Bryan Stansell To: users@conserver.com Subject: Re: different console names Message-ID: <20010516171018.A25756@underdog.stansell.org> References: <3B030448.6C88445B@THEpal.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3B030448.6C88445B@THEpal.com>; from al@thepal.com on Wed, May 16, 2001 at 06:50:48PM -0400 Sender: users-admin@conserver.com Errors-To: users-admin@conserver.com X-BeenThere: users@conserver.com X-Mailman-Version: 2.0.3 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: Conserver Users List-Unsubscribe: , List-Archive: Well, suggestion #1 is to use the same conserver.cf file on both hosts. Just make sure you use the @rfcuapp1 or @rfcudev1 syntax like you have below for all consoles - that way things get redirected approprately. So, just have: portserver:/dev/ttyb@rfcudev1:9600p:&: rfcuapp1:!rfcuapp1@rfcudev1:9600p:&: rfcudev1:!rfcudev1@rfcuapp1:9600p:&: or rfc-portserver:/dev/ttyb@rfcudev1:9600p:&: rfcuapp1:!rfcuapp1@rfcudev1:9600p:&: rfcudev1:!rfcudev1@rfcuapp1:9600p:&: Then, things should "just work". The reason why it isn't working like you expect is that the client is talking to rfcudev1 as the default console server ('console -V' should show that - the error message shows the master host). If you do a 'console -M halibut rfc-portserver' then it should work, or better yet, have one of the versions of the above .cf file and share it with all console servers. That way it doesn't matter which master you talk to - if it doesn't manage the console it will hand you off to the appropriate one. In general, running multiple servers with different conserver.cf files can be done (and should be for certain situations involving firewalls and such). The trick is to make sure the client talks to the right master first. If you can, though, have them all share a common conserver.cf file (easier to maintain too) and push a copy to all servers. Hope this helps clear things up a little. If anyone has questions, just yell. Bryan On Wed, May 16, 2001 at 06:50:48PM -0400, Albert Etienne wrote: > host halibut: > /etc/conserver.cf > > portserver:/dev/ttyb@rfcudev1:9600p:&: > rfcuapp1:!rfcuapp1@rfcudev1:9600p:&: > rfcudev1:!rfcudev1@rfcuapp1:9600p:&: > > > host rfcudev1: > /etc/conserver.cf > > portserver:/dev/ttyb:9600p:&: > rfcudev1:!rfcudev1@rfcuapp1:9600p:&: > rfcuapp1:!portserver:2003:&: > > > works just fine. > > But when I change halibut /etc/conserver.cf to > > rfc-portserver:/dev/ttyb@rfcudev1:9600p:&: > rfcuapp1:!rfcuapp1@rfcudev1:9600p:&: > rfcudev1:!rfcudev1@rfcuapp1:9600p:&: > > > I get: > > halibut# console rfc-portserver > console: rfcudev1: server rfc-portserver not found > halibut# console -v rfc-portserver > console: rfcudev1: server rfc-portserver not found > halibut# > > The same thing happens to the other lines if the names don't match. > If I read the man page correctly, this should work. From jonas.blaberg@cellnetwork.com Fri May 18 02:43:11 2001 Received: from exchange.gbg.mandator.se (exchange.cellnetwork.com [195.84.33.16]) by underdog.stansell.org (8.11.3/8.11.3) with ESMTP id f4I9h9N10117 for ; Fri, 18 May 2001 02:43:10 -0700 (PDT) Received: by EXCHANGE with Internet Mail Service (5.5.2653.19) id ; Fri, 18 May 2001 11:43:02 +0200 Message-ID: From: =?ISO-8859-1?Q?Jonas_Bl=E5berg?= To: "'users@conserver.com'" Subject: ACL? Date: Fri, 18 May 2001 11:42:58 +0200 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by underdog.stansell.org id f4I9h9N10117 Sender: users-admin@conserver.com Errors-To: users-admin@conserver.com X-BeenThere: users@conserver.com X-Mailman-Version: 2.0.3 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: Conserver Users List-Unsubscribe: , List-Archive: hello! would like to know if I am able to set up different unix-users to be able to access different server ports with conserver? /jonas Jonas Blåberg jonas.blaberg@cellnetwork.com +46-(0)709-95 00 68 From bryan@stansell.org Fri May 18 14:14:17 2001 Received: (from bryan@localhost) by underdog.stansell.org (8.11.3/8.11.3) id f4ILEHA13462 for users@conserver.com; Fri, 18 May 2001 14:14:17 -0700 (PDT) Date: Fri, 18 May 2001 14:14:17 -0700 From: Bryan Stansell To: users@conserver.com Subject: Re: ACL? Message-ID: <20010518141417.K28980@underdog.stansell.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.2.5i In-Reply-To: ; from jonas.blaberg@cellnetwork.com on Fri, May 18, 2001 at 11:42:58AM +0200 Sender: users-admin@conserver.com Errors-To: users-admin@conserver.com X-BeenThere: users@conserver.com X-Mailman-Version: 2.0.3 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: Conserver Users List-Unsubscribe: , List-Archive: On Fri, May 18, 2001 at 11:42:58AM +0200, Jonas Blåberg wrote: > hello! > > would like to know if I am able to set up different unix-users to be able to > access different server ports with conserver? It's not pretty, but yes. In the conserver.passwd file you "normally" have something like: user1:*passwd*:any user2:*passwd*:any ... Instead of the word 'any', you can put a list of consoles they're allowed to access. user1:*passwd*:console1,console2,console4 user2:*passwd*:any user3:*passwd*:console3 So, user3 can only access console3, user1 can only access console{1,2,4}, and user2 can access any of them. Hope that answered your question. Ideally, one day, we'd be able to define console groups and assign those to users and such, but that's off in the future. Oh, and there is a fairly small limit (~100) as to the number of characters that list of consoles can be. If you need more, up the buf[] declaration in CheckPasswd() in conserver/group.c. Ugly, I know...if someone else doesn't do it, I'll fix it eventually. Bryan From mgx@ornl.gov Sun May 20 07:10:33 2001 Received: from mail.lsd.ornl.gov (mail.lsd.ornl.gov [160.91.102.38]) by underdog.stansell.org (8.11.3/8.11.3) with ESMTP id f4KEAWN01441 for ; Sun, 20 May 2001 07:10:32 -0700 (PDT) Received: from sif.lsd.ornl.gov (sif.lsd.ornl.gov [160.91.102.97]) by mail.lsd.ornl.gov (Postfix) with ESMTP id BCF3514E90 for ; Sun, 20 May 2001 10:10:30 -0400 (EDT) Received: by sif.lsd.ornl.gov (Postfix on SuSE Linux 7.0 (i386), from userid 15083) id CBFA61017FE; Sun, 20 May 2001 10:10:29 -0400 (EDT) Date: Sun, 20 May 2001 10:10:29 -0400 From: Michael Galloway To: users@conserver.com Subject: ttymon cannot allocate controlling tty on "/dev/console" Message-ID: <20010520101029.A772@sif.lsd.ornl.gov> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.1.14i Sender: users-admin@conserver.com Errors-To: users-admin@conserver.com X-BeenThere: users@conserver.com X-Mailman-Version: 2.0.3 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: Conserver Users List-Unsubscribe: , List-Archive: good day all .... i've got a solaris box that was working fine with my conserver setup. sun asked me to apply some patches and now i get this when i try to get a console session: basswood:~ # console -u | grep hydra hydra up basswood:~ # console hydra [Enter `^Ec?' for help] hydra-1.lsd.ornl.gov console login: mgx Warning -- ttymon cannot allocate controlling tty on "/dev/console", there may be another session active on this port. it was working fine before i started this patch marathon. -- michael From bryan@stansell.org Sun May 20 08:47:05 2001 Received: (from bryan@localhost) by underdog.stansell.org (8.11.3/8.11.3) id f4KFl5n01912 for users@conserver.com; Sun, 20 May 2001 08:47:05 -0700 (PDT) Date: Sun, 20 May 2001 08:47:05 -0700 From: Bryan Stansell To: users@conserver.com Subject: Re: ttymon cannot allocate controlling tty on "/dev/console" Message-ID: <20010520084705.Q28980@underdog.stansell.org> References: <20010520101029.A772@sif.lsd.ornl.gov> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010520101029.A772@sif.lsd.ornl.gov>; from mgx@ornl.gov on Sun, May 20, 2001 at 10:10:29AM -0400 Sender: users-admin@conserver.com Errors-To: users-admin@conserver.com X-BeenThere: users@conserver.com X-Mailman-Version: 2.0.3 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: Conserver Users List-Unsubscribe: , List-Archive: On Sun, May 20, 2001 at 10:10:29AM -0400, Michael Galloway wrote: > good day all .... > > i've got a solaris box that was working fine with my conserver setup. sun > asked me to apply some patches and now i get this when i try to get a console > session: > > basswood:~ # console -u | grep hydra > hydra up > basswood:~ # console hydra > [Enter `^Ec?' for help] > > hydra-1.lsd.ornl.gov console login: mgx > Warning -- ttymon cannot allocate controlling tty on "/dev/console", > there may be another session active on this port. > > it was working fine before i started this patch marathon. I don't think it's a conserver issue. I took at peak at sunsolve and there are a lot of bugs (mostly old) with this message that refer to CDE. Do you have CDE running on the box? You didn't mention what version of solaris, but I'd expect you have an old patch or conflicting patch or something. I'd get back in touch with sun and share the error and have them research which patch broke things. And if you don't have any CDE bits running (as daemons or temporarily in /etc/rc*.d), then I'm personally out of ideas. But, it really sounds like a sun bug of some sort - once you start passing characters back and forth with conserver, it's out of the way. In other words, you should see the same error if you hooked up a dumb terminal to the machine and tried to log in. Good luck! Bryan From jonas.blaberg@cellnetwork.com Sun May 20 23:30:40 2001 Received: from exchange.gbg.mandator.se ([194.23.99.14]) by underdog.stansell.org (8.11.3/8.11.3) with ESMTP id f4L6UdN05862 for ; Sun, 20 May 2001 23:30:39 -0700 (PDT) Received: by EXCHANGE with Internet Mail Service (5.5.2653.19) id ; Mon, 21 May 2001 08:30:32 +0200 Message-ID: From: =?iso-8859-1?Q?Jonas_Bl=E5berg?= To: "'users@conserver.com'" Subject: SV: ACL? Date: Mon, 21 May 2001 08:30:29 +0200 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by underdog.stansell.org id f4L6UdN05862 Sender: users-admin@conserver.com Errors-To: users-admin@conserver.com X-BeenThere: users@conserver.com X-Mailman-Version: 2.0.3 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: Conserver Users List-Unsubscribe: , List-Archive: okey, that solves lot of my problems. Is the format of conserver.passwd documented anywhere? I did not find anything about it... /jonas -----Ursprungligt meddelande----- Från: Bryan Stansell [mailto:bryan@conserver.com] Skickat: den 18 maj 2001 23:14 Till: users@conserver.com Ämne: Re: ACL? On Fri, May 18, 2001 at 11:42:58AM +0200, Jonas Blåberg wrote: > hello! > > would like to know if I am able to set up different unix-users to be able to > access different server ports with conserver? It's not pretty, but yes. In the conserver.passwd file you "normally" have something like: user1:*passwd*:any user2:*passwd*:any ... Instead of the word 'any', you can put a list of consoles they're allowed to access. user1:*passwd*:console1,console2,console4 user2:*passwd*:any user3:*passwd*:console3 So, user3 can only access console3, user1 can only access console{1,2,4}, and user2 can access any of them. Hope that answered your question. Ideally, one day, we'd be able to define console groups and assign those to users and such, but that's off in the future. Oh, and there is a fairly small limit (~100) as to the number of characters that list of consoles can be. If you need more, up the buf[] declaration in CheckPasswd() in conserver/group.c. Ugly, I know...if someone else doesn't do it, I'll fix it eventually. Bryan _______________________________________________ users mailing list users@conserver.com https://www.conserver.com/mailman/listinfo/users From iainr@dcs.ed.ac.uk Mon May 21 03:29:40 2001 Received: from muck.dcs.ed.ac.uk (muck.dcs.ed.ac.uk [129.215.216.15]) by underdog.stansell.org (8.11.3/8.11.3) with ESMTP id f4LATeN07054 for ; Mon, 21 May 2001 03:29:40 -0700 (PDT) Received: from mince.dcs.ed.ac.uk (root@mince.dcs.ed.ac.uk [129.215.58.141]) by muck.dcs.ed.ac.uk with ESMTP id LAA26825 for ; Mon, 21 May 2001 11:29:37 +0100 (BST) Received: from mince.dcs.ed.ac.uk (IDENT:iainr@localhost [127.0.0.1]) by mince.dcs.ed.ac.uk (8.9.1/8.9.1) with ESMTP id LAA12129 for ; Mon, 21 May 2001 11:29:37 +0100 Message-Id: <200105211029.LAA12129@mince.dcs.ed.ac.uk> X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 To: users@conserver.com Subject: conserver with encryption Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 21 May 2001 11:29:36 +0100 From: Iain Rae Sender: users-admin@conserver.com Errors-To: users-admin@conserver.com X-BeenThere: users@conserver.com X-Mailman-Version: 2.0.3 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: Conserver Users List-Unsubscribe: , List-Archive: Hi all, I've been playing around with encrypting the connections between console and conserver and (famous last words) I don't think it would be too difficult to include TLS/SSL and possibly kerberos encryption into the source (I'm less sure about openssh since there doesn't seem to be that much documentation other than the source). Assuming that there's interest in this what sort of requirements are people likely to have: Do we just want to have encrypted channels or to handle things like Kerberos authentication? Which protocols would we want (I suspect SSL will be the easiest way to get some kind of encrypted channel, but we (dcs) would want Kerberos and possibly ssh)? Is it a compilation/configuration choice or should conserver support multiple different systems? If the answer to the above is yes then what kind of configuration options are we looking at (only allow kerberos authenticated connections to host foobar?) NB. I'm not proposing to write code to do all of the above but I'm willing to make a start, also I don't claim to be any kind of expert or writing security code and fully expect to drop some real clangers on the way :) Anyone got any advice, comments, want to join in? -- Iain Rae Tel:01316505202 Computing Officer JCMB:2148 Division of Informatics The University of Edinburgh From bryan@stansell.org Mon May 21 07:45:22 2001 Received: (from bryan@localhost) by underdog.stansell.org (8.11.3/8.11.3) id f4LEjM808210 for users@conserver.com; Mon, 21 May 2001 07:45:22 -0700 (PDT) Date: Mon, 21 May 2001 07:45:22 -0700 From: Bryan Stansell To: "'users@conserver.com'" Subject: Re: SV: ACL? Message-ID: <20010521074522.S28980@underdog.stansell.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.2.5i In-Reply-To: ; from jonas.blaberg@cellnetwork.com on Mon, May 21, 2001 at 08:30:29AM +0200 Sender: users-admin@conserver.com Errors-To: users-admin@conserver.com X-BeenThere: users@conserver.com X-Mailman-Version: 2.0.3 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: Conserver Users List-Unsubscribe: , List-Archive: On Mon, May 21, 2001 at 08:30:29AM +0200, Jonas Blåberg wrote: > okey, that solves lot of my problems. Cool. > Is the format of conserver.passwd documented anywhere? I did not find > anything about it... Not very well. There's a small blurb in conserver.cf/INSTALL, but that's about it. Documentation, in general, needs more help. Bryan From bryan@stansell.org Mon May 21 08:15:50 2001 Received: (from bryan@localhost) by underdog.stansell.org (8.11.3/8.11.3) id f4LFFoI08431 for users@conserver.com; Mon, 21 May 2001 08:15:50 -0700 (PDT) Date: Mon, 21 May 2001 08:15:50 -0700 From: Bryan Stansell To: users@conserver.com Subject: Re: conserver with encryption Message-ID: <20010521081550.U28980@underdog.stansell.org> References: <200105211029.LAA12129@mince.dcs.ed.ac.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200105211029.LAA12129@mince.dcs.ed.ac.uk>; from iainr@dcs.ed.ac.uk on Mon, May 21, 2001 at 11:29:36AM +0100 Sender: users-admin@conserver.com Errors-To: users-admin@conserver.com X-BeenThere: users@conserver.com X-Mailman-Version: 2.0.3 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: Conserver Users List-Unsubscribe: , List-Archive: On Mon, May 21, 2001 at 11:29:36AM +0100, Iain Rae wrote: > Do we just want to have encrypted channels or to handle things like Kerberos > authentication? Encryption would be extremely nice...whatever type (I'd like to not have to install ssl certs, but others probably would, to verify it's really their console server - just a thought). Authentication, on the other hand, is another beast and, while it too would be great (kerberos, securid, s-key, ...), it's a whole different set of code manipulation and I'd suggest thinking about them separately. > Which protocols would we want (I suspect SSL will be the easiest way to get > some kind of encrypted channel, but we (dcs) would want Kerberos and possibly > ssh)? > > Is it a compilation/configuration choice or should conserver support multiple > different systems? My first thought is it should be a compilation choice - you don't want to have to have kerberos, ssh, and ssl libraries to just compile the thing. Would anyone want to run multiple protocols within a conserver installation? I'd think not (beyond the "that would be cool" factor), but, opinions? I know I'd just pick one and compile it in. Bryan From doug@gblx.net Mon May 21 08:19:26 2001 Received: from smtp1.phx.gblx.net (smtp1.phx.gblx.net [64.208.25.103]) by underdog.stansell.org (8.11.3/8.11.3) with ESMTP id f4LFJPN08468; Mon, 21 May 2001 08:19:26 -0700 (PDT) Received: (from daemon@localhost) by smtp1.phx.gblx.net (8.11.2/8.11.2) id f4LFJBu28358; Mon, 21 May 2001 08:19:11 -0700 (MST) Received: from UNKNOWN(64.208.25.102), claiming to be "shell1.phx.gblx.net" via SMTP by smtp1, id smtpdAAAvbail3; Mon May 21 08:19:07 2001 Received: from localhost (doug@localhost) by shell1.phx.gblx.net (8.9.3+Sun/8.9.3) with ESMTP id IAA28621; Mon, 21 May 2001 08:19:21 -0700 (MST) X-Authentication-Warning: shell1.phx.gblx.net: doug owned process doing -bs Date: Mon, 21 May 2001 08:19:21 -0700 (MST) From: Doug Hughes X-Sender: doug@shell1.phx.gblx.net To: Bryan Stansell cc: users@conserver.com Subject: Re: conserver with encryption In-Reply-To: <20010521081550.U28980@underdog.stansell.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: users-admin@conserver.com Errors-To: users-admin@conserver.com X-BeenThere: users@conserver.com X-Mailman-Version: 2.0.3 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: Conserver Users List-Unsubscribe: , List-Archive: On Mon, 21 May 2001, Bryan Stansell wrote: > On Mon, May 21, 2001 at 11:29:36AM +0100, Iain Rae wrote: > > Do we just want to have encrypted channels or to handle things like Kerberos > > authentication? > > Encryption would be extremely nice...whatever type (I'd like to not > have to install ssl certs, but others probably would, to verify it's > really their console server - just a thought). Authentication, on the > other hand, is another beast and, while it too would be great > (kerberos, securid, s-key, ...), it's a whole different set of code > manipulation and I'd suggest thinking about them separately. > > > Which protocols would we want (I suspect SSL will be the easiest way to get > > some kind of encrypted channel, but we (dcs) would want Kerberos and possibly > > ssh)? > > > > Is it a compilation/configuration choice or should conserver support multiple > > different systems? > > My first thought is it should be a compilation choice - you don't want > to have to have kerberos, ssh, and ssl libraries to just compile the > thing. Would anyone want to run multiple protocols within a conserver > installation? I'd think not (beyond the "that would be cool" factor), > but, opinions? I know I'd just pick one and compile it in. > I'd opt for: [configure] --with-openssl=... --with-ssl-cert=... --with-libcrypto=... --with-kerbv5=... (type of stuff - make them all independent modules) Doug From ChrisF@computone.com Mon May 21 08:24:15 2001 Received: from mustang.computone.com (mustang.computone.com [160.77.1.155]) by underdog.stansell.org (8.11.3/8.11.3) with ESMTP id f4LFOFN08513; Mon, 21 May 2001 08:24:15 -0700 (PDT) Received: by mustang.computone.com with Internet Mail Service (5.5.2650.21) id <2ZQ5N5PM>; Mon, 21 May 2001 11:28:28 -0400 Message-ID: <95B97DD42B78D31193A8005004D1E05C413A1A@mustang.computone.com> From: Chris Fowler To: "'Doug Hughes'" , Bryan Stansell Cc: users@conserver.com Subject: RE: conserver with encryption Date: Mon, 21 May 2001 11:28:27 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0E20A.AE9A70E2" Sender: users-admin@conserver.com Errors-To: users-admin@conserver.com X-BeenThere: users@conserver.com X-Mailman-Version: 2.0.3 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: Conserver Users List-Unsubscribe: , List-Archive: This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0E20A.AE9A70E2 Content-Type: text/plain You guys talk about encryption but has anyone actually tried to implement it in this type of software. It takes a trmendous amount of work and investment from someone to do this. It's easy to say I want SSH II or I want SSH I. It is a very different thing to be the one to code it. sorry to be blunt but we've been in this circumstance. OpenSSH is very big. Chris -----Original Message----- From: Doug Hughes [mailto:doug@gblx.net] Sent: Monday, May 21, 2001 11:19 AM To: Bryan Stansell Cc: users@conserver.com Subject: Re: conserver with encryption On Mon, 21 May 2001, Bryan Stansell wrote: > On Mon, May 21, 2001 at 11:29:36AM +0100, Iain Rae wrote: > > Do we just want to have encrypted channels or to handle things like Kerberos > > authentication? > > Encryption would be extremely nice...whatever type (I'd like to not > have to install ssl certs, but others probably would, to verify it's > really their console server - just a thought). Authentication, on the > other hand, is another beast and, while it too would be great > (kerberos, securid, s-key, ...), it's a whole different set of code > manipulation and I'd suggest thinking about them separately. > > > Which protocols would we want (I suspect SSL will be the easiest way to get > > some kind of encrypted channel, but we (dcs) would want Kerberos and possibly > > ssh)? > > > > Is it a compilation/configuration choice or should conserver support multiple > > different systems? > > My first thought is it should be a compilation choice - you don't want > to have to have kerberos, ssh, and ssl libraries to just compile the > thing. Would anyone want to run multiple protocols within a conserver > installation? I'd think not (beyond the "that would be cool" factor), > but, opinions? I know I'd just pick one and compile it in. > I'd opt for: [configure] --with-openssl=... --with-ssl-cert=... --with-libcrypto=... --with-kerbv5=... (type of stuff - make them all independent modules) Doug _______________________________________________ users mailing list users@conserver.com https://www.conserver.com/mailman/listinfo/users ------_=_NextPart_001_01C0E20A.AE9A70E2 Content-Type: text/html Content-Transfer-Encoding: quoted-printable RE: conserver with encryption

You guys talk about encryption but has anyone = actually tried to implement
it in this type of software.  It takes a = trmendous amount of work and investment from someone to do this.  = It's easy to say I want SSH II or I want SSH I.  It is a very = different thing to be the one to code it.  sorry to be blunt but = we've been in this circumstance.   OpenSSH is very = big.

Chris


-----Original Message-----
From: Doug Hughes [mailto:doug@gblx.net]
Sent: Monday, May 21, 2001 11:19 AM
To: Bryan Stansell
Cc: users@conserver.com
Subject: Re: conserver with encryption


On Mon, 21 May 2001, Bryan Stansell wrote:

> On Mon, May 21, 2001 at 11:29:36AM +0100, Iain = Rae wrote:
> > Do we just want to have encrypted channels = or to handle things like Kerberos
> > authentication?
>
> Encryption would be extremely nice...whatever = type (I'd like to not
> have to install ssl certs, but others probably = would, to verify it's
> really their console server - just a = thought).  Authentication, on the
> other hand, is another beast and, while it too = would be great
> (kerberos, securid, s-key, ...), it's a whole = different set of code
> manipulation and I'd suggest thinking about = them separately.
>
> > Which protocols would we want (I suspect = SSL will be the easiest way to get
> > some kind of encrypted channel, but we = (dcs) would want Kerberos and possibly
> > ssh)?
> >
> > Is it a compilation/configuration choice = or should conserver support multiple
> > different systems?
>
> My first thought is it should be a compilation = choice - you don't want
> to have to have kerberos, ssh, and ssl = libraries to just compile the
> thing.  Would anyone want to run multiple = protocols within a conserver
> installation?  I'd think not (beyond the = "that would be cool" factor),
> but, opinions?  I know I'd just pick one = and compile it in.
>

I'd opt for:
[configure]
--with-openssl=3D... --with-ssl-cert=3D... = --with-libcrypto=3D... --with-kerbv5=3D...
(type of stuff - make them all independent = modules)

        Doug


_______________________________________________
users mailing list
users@conserver.com
https://www.conserver.com/mailman/listinfo/users

------_=_NextPart_001_01C0E20A.AE9A70E2-- From doug@gblx.net Mon May 21 08:38:48 2001 Received: from smtp1.phx.gblx.net (smtp1.phx.gblx.net [64.208.25.103]) by underdog.stansell.org (8.11.3/8.11.3) with ESMTP id f4LFclN08592; Mon, 21 May 2001 08:38:47 -0700 (PDT) Received: (from daemon@localhost) by smtp1.phx.gblx.net (8.11.2/8.11.2) id f4LFcXl00308; Mon, 21 May 2001 08:38:33 -0700 (MST) Received: from UNKNOWN(64.208.25.102), claiming to be "shell1.phx.gblx.net" via SMTP by smtp1, id smtpdAAAmsaaLa; Mon May 21 08:38:31 2001 Received: from localhost (doug@localhost) by shell1.phx.gblx.net (8.9.3+Sun/8.9.3) with ESMTP id IAA28770; Mon, 21 May 2001 08:38:45 -0700 (MST) X-Authentication-Warning: shell1.phx.gblx.net: doug owned process doing -bs Date: Mon, 21 May 2001 08:38:45 -0700 (MST) From: Doug Hughes X-Sender: doug@shell1.phx.gblx.net To: Chris Fowler cc: Bryan Stansell , users@conserver.com Subject: RE: conserver with encryption In-Reply-To: <95B97DD42B78D31193A8005004D1E05C413A1A@mustang.computone.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: users-admin@conserver.com Errors-To: users-admin@conserver.com X-BeenThere: users@conserver.com X-Mailman-Version: 2.0.3 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: Conserver Users List-Unsubscribe: , List-Archive: I've done it. Yes, it is work. Doing it modularly will be even more work. However, in order to do this right (not creating dependency hell), I think it's the right way. (Kerberos would be a *whole* lot of work for somebody wishing to incorporate that with modularity). Just my $.02. The easiest way would be to just add encryption using something like cryptolib. Use DH to gen keys on both ends and then 3DES or IDEA or blowfish or whatever to encrypt things. Then have a set of #ifdefs in the appropriate place in the communication path to initialize the session and before/after network reads/writes to encrypt/decrypt. This is bare bones. It doesn't provide for man in the middle prevention, it doesn't verify authenticaticity. It does prevent passwords from transiting in the clear. Using something like this with tcp_wrappers provides some additional protection at marginal effort increment. On Mon, 21 May 2001, Chris Fowler wrote: > You guys talk about encryption but has anyone actually tried to implement > it in this type of software. It takes a trmendous amount of work and > investment from someone to do this. It's easy to say I want SSH II or I > want SSH I. It is a very different thing to be the one to code it. sorry > to be blunt but we've been in this circumstance. OpenSSH is very big. > > Chris > > > -----Original Message----- > From: Doug Hughes [mailto:doug@gblx.net] > Sent: Monday, May 21, 2001 11:19 AM > To: Bryan Stansell > Cc: users@conserver.com > Subject: Re: conserver with encryption > > > On Mon, 21 May 2001, Bryan Stansell wrote: > > > On Mon, May 21, 2001 at 11:29:36AM +0100, Iain Rae wrote: > > > Do we just want to have encrypted channels or to handle things like > Kerberos > > > authentication? > > > > Encryption would be extremely nice...whatever type (I'd like to not > > have to install ssl certs, but others probably would, to verify it's > > really their console server - just a thought). Authentication, on the > > other hand, is another beast and, while it too would be great > > (kerberos, securid, s-key, ...), it's a whole different set of code > > manipulation and I'd suggest thinking about them separately. > > > > > Which protocols would we want (I suspect SSL will be the easiest way to > get > > > some kind of encrypted channel, but we (dcs) would want Kerberos and > possibly > > > ssh)? > > > > > > Is it a compilation/configuration choice or should conserver support > multiple > > > different systems? > > > > My first thought is it should be a compilation choice - you don't want > > to have to have kerberos, ssh, and ssl libraries to just compile the > > thing. Would anyone want to run multiple protocols within a conserver > > installation? I'd think not (beyond the "that would be cool" factor), > > but, opinions? I know I'd just pick one and compile it in. > > > > I'd opt for: > [configure] > --with-openssl=... --with-ssl-cert=... --with-libcrypto=... > --with-kerbv5=... > (type of stuff - make them all independent modules) > > Doug > > > _______________________________________________ > users mailing list > users@conserver.com > https://www.conserver.com/mailman/listinfo/users > From iainr@dcs.ed.ac.uk Mon May 21 08:51:59 2001 Received: from muck.dcs.ed.ac.uk (muck.dcs.ed.ac.uk [129.215.216.15]) by underdog.stansell.org (8.11.3/8.11.3) with ESMTP id f4LFpwN08666 for ; Mon, 21 May 2001 08:51:59 -0700 (PDT) Received: from mince.dcs.ed.ac.uk (root@mince.dcs.ed.ac.uk [129.215.58.141]) by muck.dcs.ed.ac.uk with ESMTP id QAA19631 for ; Mon, 21 May 2001 16:51:57 +0100 (BST) Received: from mince.dcs.ed.ac.uk (IDENT:iainr@localhost [127.0.0.1]) by mince.dcs.ed.ac.uk (8.9.1/8.9.1) with ESMTP id QAA02199 for ; Mon, 21 May 2001 16:51:57 +0100 Message-Id: <200105211551.QAA02199@mince.dcs.ed.ac.uk> X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 To: users@conserver.com Subject: Re: conserver with encryption In-Reply-To: Message from Chris Fowler of "Mon, 21 May 2001 11:28:27 EDT." <95B97DD42B78D31193A8005004D1E05C413A1A@mustang.computone.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 21 May 2001 16:51:56 +0100 From: Iain Rae Sender: users-admin@conserver.com Errors-To: users-admin@conserver.com X-BeenThere: users@conserver.com X-Mailman-Version: 2.0.3 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: Conserver Users List-Unsubscribe: , List-Archive: > You guys talk about encryption but has anyone actually tried to implement > it in this type of software. It takes a trmendous amount of work and > investment from someone to do this. It's easy to say I want SSH II or I > want SSH I. It is a very different thing to be the one to code it. sorry > to be blunt but we've been in this circumstance. OpenSSH is very big. > yes, that's why I've shied away from ssh. I have a hacked together copy of conserver/console which is using a very basic ssl configuration, if I were doing this for us (DCS) I'd hand off authentication to PAM which ought to make it a bit easier but would limit it in terms of platforms. -- Iain Rae Tel:01316505202 Computing Officer JCMB:2148 Division of Informatics The University of Edinburgh From fenner@research.att.com Mon May 21 09:02:04 2001 Received: from mail-blue.research.att.com (mail-blue.research.att.com [135.207.30.102]) by underdog.stansell.org (8.11.3/8.11.3) with ESMTP id f4LG24N08747; Mon, 21 May 2001 09:02:04 -0700 (PDT) Received: from alliance.research.att.com (alliance.research.att.com [135.207.26.26]) by mail-blue.research.att.com (Postfix) with ESMTP id A66A44D55A; Mon, 21 May 2001 12:02:02 -0400 (EDT) Received: from windsor.research.att.com (windsor.research.att.com [135.207.26.46]) by alliance.research.att.com (8.8.7/8.8.7) with ESMTP id MAA17240; Mon, 21 May 2001 12:02:01 -0400 (EDT) From: Bill Fenner Received: (from fenner@localhost) by windsor.research.att.com (8.8.8+Sun/8.8.5) id JAA09617; Mon, 21 May 2001 09:02:00 -0700 (PDT) Message-Id: <200105211602.JAA09617@windsor.research.att.com> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII To: bryan@conserver.com Subject: Re: conserver with encryption Cc: users@conserver.com References: <200105211029.LAA12129@mince.dcs.ed.ac.uk> <20010521081550.U28980@underdog.stansell.org> Date: Mon, 21 May 2001 09:02:00 -0700 Versions: dmail (solaris) 2.2g/makemail 2.9a Sender: users-admin@conserver.com Errors-To: users-admin@conserver.com X-BeenThere: users@conserver.com X-Mailman-Version: 2.0.3 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: Conserver Users List-Unsubscribe: , List-Archive: >Would anyone want to run multiple protocols within a conserver >installation? I'd think not (beyond the "that would be cool" factor), >but, opinions? Well, you could imagine that someone might want an all-singing, all-dancing console client on their laptop to carry to customer installations and be able to deal with whatever the customer had chosen. That's probably not sufficiently compelling to go to a ton of effort to make it happen, but it's at least a case where it might be useful. Bill From jonas.blaberg@cellnetwork.com Mon May 21 09:16:43 2001 Received: from exchange.gbg.mandator.se ([194.23.99.14]) by underdog.stansell.org (8.11.3/8.11.3) with ESMTP id f4LGGgN08825 for ; Mon, 21 May 2001 09:16:42 -0700 (PDT) Received: by EXCHANGE with Internet Mail Service (5.5.2653.19) id ; Mon, 21 May 2001 18:16:40 +0200 Message-ID: From: =?iso-8859-1?Q?Jonas_Bl=E5berg?= To: "'users@conserver.com'" Subject: xyplex question Date: Mon, 21 May 2001 18:16:37 +0200 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by underdog.stansell.org id f4LGGgN08825 Sender: users-admin@conserver.com Errors-To: users-admin@conserver.com X-BeenThere: users@conserver.com X-Mailman-Version: 2.0.3 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: Conserver Users List-Unsubscribe: , List-Archive: hello! I have got a xyplex maxserver 1600 in my hands and have been able to reset it to factory defaults. I can connect to the terminal server using serial line. And I know the default priv password is system. And I have been able to define an ip address (I am able to ping it). But I cannot find out how to be able to access it with telnet... Maybe this question is a little bit malplaced but I don't know whom to ask... please redirect me if I'm using the wrong forum. (I'm going to use it with conserver - that's why I'm reading this list). /jonas Jonas Blåberg jonas.blaberg@cellnetwork.com +46-(0)31-707 69 85 +46-(0)709-95 00 68 From iainr@dcs.ed.ac.uk Mon May 21 09:41:19 2001 Received: from muck.dcs.ed.ac.uk (muck.dcs.ed.ac.uk [129.215.216.15]) by underdog.stansell.org (8.11.3/8.11.3) with ESMTP id f4LGfIN08946 for ; Mon, 21 May 2001 09:41:19 -0700 (PDT) Received: from mince.dcs.ed.ac.uk (root@mince.dcs.ed.ac.uk [129.215.58.141]) by muck.dcs.ed.ac.uk with ESMTP id RAA23097 for ; Mon, 21 May 2001 17:41:17 +0100 (BST) Received: from mince.dcs.ed.ac.uk (IDENT:iainr@localhost [127.0.0.1]) by mince.dcs.ed.ac.uk (8.9.1/8.9.1) with ESMTP id RAA02237 for ; Mon, 21 May 2001 17:41:17 +0100 Message-Id: <200105211641.RAA02237@mince.dcs.ed.ac.uk> X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 To: users@conserver.com Subject: Re: conserver with encryption In-Reply-To: Message from Doug Hughes of "Mon, 21 May 2001 08:38:45 PDT." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 21 May 2001 17:41:17 +0100 From: Iain Rae Sender: users-admin@conserver.com Errors-To: users-admin@conserver.com X-BeenThere: users@conserver.com X-Mailman-Version: 2.0.3 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: Conserver Users List-Unsubscribe: , List-Archive: > > I've done it. Yes, it is work. Doing it modularly will be even more work. > However, in order to do this right (not creating dependency hell), I > think it's the right way. (Kerberos would be a *whole* lot of work for > somebody wishing to incorporate that with modularity). can you point at any decent docs/examples I could take a look at? I was thinking of digging through the cyrus-imap or samba code. > > Just my $.02. > > The easiest way would be to just add encryption using something like > cryptolib. Use DH to gen keys on both ends and then 3DES or IDEA > or blowfish or whatever to encrypt things. Then have a set of > #ifdefs in the appropriate place in the communication path to > initialize the session and before/after network reads/writes to > encrypt/decrypt. > > This is bare bones. It doesn't provide for man in the middle > prevention, it doesn't verify authenticaticity. It does prevent > passwords from transiting in the clear. Using something like this > with tcp_wrappers provides some additional protection at marginal > effort increment. In the first instance all I'm looking to is provide an encrypted channel between the various hosts, but if I'm going to do that I'd rather work the code to try and make it easier to add other systems and in the med-long term we'd (DCS) be looking for kerberos anyway so anything I'd do would have one eye on that. I was also thinking that you would probably want something that didn't require an infrastructure to fall back on, not much point in having kerberos if it's your kerberos servers you're trying to get to the consoles of. This pretty much ties you to a modular system from the start ( if your bare-bones system above doesn't work do you drop back to cleartext or drop the connection). -- Iain Rae Tel:01316505202 Computing Officer JCMB:2148 Division of Informatics The University of Edinburgh From doug@gblx.net Mon May 21 15:00:06 2001 Received: from smtp1.phx.gblx.net (smtp1.phx.gblx.net [64.208.25.103]) by underdog.stansell.org (8.11.3/8.11.3) with ESMTP id f4LM06N10441 for ; Mon, 21 May 2001 15:00:06 -0700 (PDT) Received: (from daemon@localhost) by smtp1.phx.gblx.net (8.11.2/8.11.2) id f4LLxpM20351; Mon, 21 May 2001 14:59:51 -0700 (MST) Received: from UNKNOWN(64.208.25.102), claiming to be "shell1.phx.gblx.net" via SMTP by smtp1, id smtpdAAAPgaWIN; Mon May 21 14:59:47 2001 Received: from localhost (doug@localhost) by shell1.phx.gblx.net (8.9.3+Sun/8.9.3) with ESMTP id PAA04352; Mon, 21 May 2001 15:00:00 -0700 (MST) X-Authentication-Warning: shell1.phx.gblx.net: doug owned process doing -bs Date: Mon, 21 May 2001 15:00:00 -0700 (MST) From: Doug Hughes X-Sender: doug@shell1.phx.gblx.net To: Iain Rae cc: users@conserver.com Subject: Re: conserver with encryption In-Reply-To: <200105211641.RAA02237@mince.dcs.ed.ac.uk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: users-admin@conserver.com Errors-To: users-admin@conserver.com X-BeenThere: users@conserver.com X-Mailman-Version: 2.0.3 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: Conserver Users List-Unsubscribe: , List-Archive: On Mon, 21 May 2001, Iain Rae wrote: > > > > I've done it. Yes, it is work. Doing it modularly will be even more work. > > However, in order to do this right (not creating dependency hell), I > > think it's the right way. (Kerberos would be a *whole* lot of work for > > somebody wishing to incorporate that with modularity). > > can you point at any decent docs/examples I could take a look at? I was > thinking of digging through the cyrus-imap or samba code. cyrus might be a descent one. I wouldn't do samba though. WAAY too big. It's a good example of super-abstraction, but can be difficult to follow. I can't really think of any small examples off the top of my head using cryptolib. I've written some stuff, but not sure how clean it is. ;) > > > > > Just my $.02. > > > > The easiest way would be to just add encryption using something like > > cryptolib. Use DH to gen keys on both ends and then 3DES or IDEA > > or blowfish or whatever to encrypt things. Then have a set of > > #ifdefs in the appropriate place in the communication path to > > initialize the session and before/after network reads/writes to > > encrypt/decrypt. > > > > > This is bare bones. It doesn't provide for man in the middle > > prevention, it doesn't verify authenticaticity. It does prevent > > passwords from transiting in the clear. Using something like this > > with tcp_wrappers provides some additional protection at marginal > > effort increment. > > In the first instance all I'm looking to is provide an encrypted channel > between the various hosts, but if I'm going to do that I'd rather work the > code to try and make it easier to add other systems and in the med-long term > we'd (DCS) be looking for kerberos anyway so anything I'd do would have one > eye on that. > > I was also thinking that you would probably want something that didn't require > an infrastructure to fall back on, not much point in having kerberos if it's > your kerberos servers you're trying to get to the consoles of. yup. > > This pretty much ties you to a modular system from the start ( if your > bare-bones system above doesn't work do you drop back to cleartext or drop the > connection). > well, I was thinking of it more as compile time options, but you could have run time options of which one to use too. That adds more complexit too..