[Date Prev] [Date Index] [Date Next] [Thread Prev] [Thread Index] [Thread Next]

Re: Conserver remote access

nathan r. hruby nhruby@uga.edu
Sat, 24 Apr 2004 13:08:50 -0700 (PDT)


On Sat, 24 Apr 2004, Kurt Raschke wrote:

> I have been running conserver on my LAN for a few months now, and so
> far it has been very successful.  However, I'd like to open up access
> to the box running conserver for purposes of remote administration
> over the Internet.  Obviously, I am worried about the potential
> security implications of this, and so I am looking to do it in the
> safest way possible.  What would you all reccomend?  I am thinking of
> either opening up SSH to the box, or opening up the conserver port and
> then using 'console' to connect remotely, since conserver does include
> SSL support to secure the connection.

What we've been doing is a mixture of various things.  When building
conserver we use "--with-libwrap --with-openssl --with-pam" We also force
the default action in conserver to be deny, not accept non-ssl connections
and have ALL : ALL in hosts.deny.  We then open up the conserver port in
the firewall for only a select number of subnets, and then either add
individual machines from subnets to /etc/hosts.allow and conserver.cf or
for subnets we trust, the entire subnet.  We do not have any trusted client
hosts in our config, so everyone must enter a password when connecting.
Some users have the console application installed on their box, others ssh
into the servers themselves and console from there, or login directly and
use the screen/keyboard when at the physical box and then simply open an
xterm and use console from there.

Seems complicated (and it can be adding a user or a new host on a new
subnet requires editing 3-4 config files and several restarts of services)
but I think it's probably the most useful while trying to remain the most

If anyone thinks this is a retarded way of doing things, please LMK.  It
seems like a good idea, but I am still fairly new to conserver :)

nathan hruby <nhruby@uga.edu>
uga enterprise information technology services
production systems support
metaphysically wrinkle-free