From travis.campbell@amd.com Tue Jul 4 03:17:01 2006 Received: from outbound2-ash-R.bigfish.com (outbound-ash.frontbridge.com [206.16.192.249]) by underdog.stansell.org (8.13.7/8.13.7) with ESMTP id k64AGmfd017754 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=FAIL) for ; Tue, 4 Jul 2006 03:17:00 -0700 (PDT) Received: from outbound2-ash.bigfish.com (localhost.localdomain [127.0.0.1]) by outbound2-ash-R.bigfish.com (Postfix) with ESMTP id 541AFA20B90 for ; Tue, 4 Jul 2006 10:16:39 +0000 (UTC) Received: from mail43-ash-R.bigfish.com (unknown [172.18.2.3]) by outbound2-ash.bigfish.com (Postfix) with ESMTP id 4C96AA20B5D for ; Tue, 4 Jul 2006 10:16:39 +0000 (UTC) Received: from mail43-ash.bigfish.com (localhost.localdomain [127.0.0.1]) by mail43-ash-R.bigfish.com (Postfix) with ESMTP id 40141A8E3DE for ; Tue, 4 Jul 2006 10:16:39 +0000 (UTC) X-BigFish: V Received: by mail43-ash (MessageSwitch) id 1152008199226072_19980; Tue, 4 Jul 2006 10:16:39 +0000 (UCT) Received: from amdext4.amd.com (amdext4.amd.com [163.181.251.6]) by mail43-ash.bigfish.com (Postfix) with ESMTP id 205CAA8A072 for ; Tue, 4 Jul 2006 10:16:39 +0000 (UTC) Received: from SAUSGW02.amd.com (sausgw02.amd.com [163.181.250.22]) by amdext4.amd.com (8.12.11/8.12.11/AMD) with ESMTP id k64AFrsG027623 for ; Tue, 4 Jul 2006 05:16:38 -0500 Received: from 163.181.22.102 by SAUSGW01.amd.com with ESMTP (AMD SMTP Relay (Email Firewall v6.1.0)); Tue, 04 Jul 2006 05:16:25 -0500 X-Server-Uuid: 8C3DB987-180B-4465-9446-45C15473FD3E Received: from optimon.amd.com ([163.181.34.104]) by sausexbh2.amd.com with Microsoft SMTPSVC(6.0.3790.2499); Tue, 4 Jul 2006 05:16:25 -0500 Received: from [163.181.14.185] (tzimisce.amd.com [163.181.14.185]) by optimon.amd.com (8.12.10/8.12.10) with ESMTP id k64AGPAg027419 for ; Tue, 4 Jul 2006 05:16:25 -0500 Message-ID: <44AA3FF9.40006@amd.com> Date: Tue, 04 Jul 2006 05:16:25 -0500 From: "Travis Campbell" User-Agent: Thunderbird 1.5 (X11/20051201) MIME-Version: 1.0 To: users@conserver.com Subject: Re: Max number of consoles that can be supported with one conserver? References: <44A586F8.6050505@amd.com> <20060630230027.GI21036@underdog.stansell.org> In-Reply-To: <20060630230027.GI21036@underdog.stansell.org> X-OriginalArrivalTime: 04 Jul 2006 10:16:25.0835 (UTC) FILETIME=[E831CBB0:01C69F52] X-WSS-ID: 68B4E07340W15398463-01-01 Content-Type: text/plain; charset=iso-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Score: -2.312 () BAYES_00 X-Scanned-By: MIMEDefang 2.57 on 209.182.219.30 X-BeenThere: users@conserver.com X-Mailman-Version: 2.1.8 Precedence: list List-Id: Conserver Users List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Jul 2006 10:17:02 -0000 Bryan Stansell wrote: > something like 64 is > probably a good start. see if that helps things (maybe even go to 96 or > 128). it's all a balancing act. but, if you haven't done this yet, > it'll bring the process count down by a factor of 4 and should trigger > less of a spike. Thanks. I'll try that. What's the downside to going high on this? I see the faq mentions the possibility of a "lock up" delaying activity. What would cause a lock up? > > the HUP processing is certainly not ideal. it seems to work decently > (a livable, but quite noticable, delay) on a sparc t1 with just over > 1000 consoles (using --with-maxmemb=32). that's the only hard datapoint > i have beyond yours. with the machine you're talking about, i'd think > you *should* be able to support 3500 consoles. Oh, it'll certainly support it once it's up and running. We only have a problem when we go and reload the configuration. > > i'd love to know if this helps. if not, what is your --with-maxmemb/-m > value? (conserver -V shows it) It's set to the default of 16. I'll recompile with higher settings on Wednesday and give various settings a try. Travis -- travis.campbell@amd.com | "In theory, there is no difference between Sr. CAD Systems Engineer | theory and practice. In practice there is." AMD Silicon Design Systems | -- Yogi Berra From bryan@stansell.org Tue Jul 4 09:16:28 2006 Received: from underdog.stansell.org (localhost [127.0.0.1]) by underdog.stansell.org (8.13.7/8.13.7) with ESMTP id k64GGRHf020389 for ; Tue, 4 Jul 2006 09:16:27 -0700 (PDT) Received: (from bryan@localhost) by underdog.stansell.org (8.13.7/8.13.7/Submit) id k64GGRYR020388 for users@conserver.com; Tue, 4 Jul 2006 09:16:27 -0700 (PDT) Date: Tue, 4 Jul 2006 09:16:27 -0700 From: Bryan Stansell To: users@conserver.com Subject: Re: Max number of consoles that can be supported with one conserver? Message-ID: <20060704161627.GN21036@underdog.stansell.org> References: <44A586F8.6050505@amd.com> <20060630230027.GI21036@underdog.stansell.org> <44AA3FF9.40006@amd.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <44AA3FF9.40006@amd.com> User-Agent: Mutt/1.4.2.1i X-Scanned-By: MIMEDefang 2.57 on 209.182.219.30 X-BeenThere: users@conserver.com X-Mailman-Version: 2.1.8 Precedence: list List-Id: Conserver Users List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Jul 2006 16:16:29 -0000 On Tue, Jul 04, 2006 at 05:16:25AM -0500, Travis Campbell wrote: > Thanks. I'll try that. What's the downside to going high on this? I > see the faq mentions the possibility of a "lock up" delaying activity. > What would cause a lock up? well, back when that part of the faq was written, i don't believe conserver was using non-blocking i/o in all places. for quite a while it has been, so the problem of "locking up" isn't even on my radar any more (which also means that faq should be updated). > > the HUP processing is certainly not ideal. it seems to work decently > > (a livable, but quite noticable, delay) on a sparc t1 with just over > > 1000 consoles (using --with-maxmemb=32). that's the only hard datapoint > > i have beyond yours. with the machine you're talking about, i'd think > > you *should* be able to support 3500 consoles. > > Oh, it'll certainly support it once it's up and running. We only have a > problem when we go and reload the configuration. yeah, my comment meant to say more explicitly that the "wedge" a hup causes was a few seconds (no more than 10?) on the t1. still not ideal, but livable. so, hopefully the increase in number of consoles per process will help you get it down to something livable as well. Bryan From nstraz@redhat.com Thu Jul 13 12:09:27 2006 Received: from mx1.redhat.com (mx1.redhat.com [66.187.233.31]) by underdog.stansell.org (8.13.7/8.13.7) with ESMTP id k6DJ9KDJ016245 for ; Thu, 13 Jul 2006 12:09:26 -0700 (PDT) Received: from int-mx1.corp.redhat.com (int-mx1.corp.redhat.com [172.16.52.254]) by mx1.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id k6DJ9JtS005825 for ; Thu, 13 Jul 2006 15:09:19 -0400 Received: from tin.msp.redhat.com (tin.msp.redhat.com [10.15.80.50]) by int-mx1.corp.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id k6DJ9I9p024375 for ; Thu, 13 Jul 2006 15:09:19 -0400 Received: by tin.msp.redhat.com (Postfix, from userid 10119) id A1BBF18BB82; Thu, 13 Jul 2006 14:09:18 -0500 (CDT) Date: Thu, 13 Jul 2006 14:09:18 -0500 To: users@conserver.com Subject: Conserver managing Cyclades TS - Connection Reset by Peer Message-ID: <20060713190917.GA20605@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.11-2006-07-11 From: nstraz@redhat.com (Nathan Straz) X-Spam-Score: 0.001 () BAYES_50 X-Scanned-By: MIMEDefang 2.57 on 209.182.219.30 X-BeenThere: users@conserver.com X-Mailman-Version: 2.1.8 Precedence: list List-Id: Conserver Users List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Jul 2006 19:09:28 -0000 I'm having a little trouble with my conserver setup and my Cyclades TS3000. I have a Linux server running conserver and I have it talking to the TS3000 with this config block: default cyclades-01 { type host; host cyclades-01; portbase 7000; portinc 1; rw *; } My console connections are hanging and I found a ton of these in the logs: [Thu Jul 13 13:54:30 2006] conserver (2787): ERROR: FileRead(): fd 9: Connection reset by peer [Thu Jul 13 13:54:30 2006] conserver (2787): ERROR: [taft-02] read failure: unexpected EOF [Thu Jul 13 13:54:30 2006] conserver (2787): [taft-02] automatic reinitialization [Thu Jul 13 14:02:42 2006] conserver (2785): ERROR: FileRead(): fd 35: Connection reset by peer [Thu Jul 13 14:02:42 2006] conserver (2785): ERROR: [tank-02] read failure: unexpected EOF [Thu Jul 13 14:02:42 2006] conserver (2785): [tank-02] automatic reinitialization [Thu Jul 13 14:02:43 2006] conserver (2785): ERROR: FileRead(): fd 33: Connection reset by peer [Thu Jul 13 14:02:43 2006] conserver (2785): ERROR: [tank-03] read failure: unexpected EOF [Thu Jul 13 14:02:43 2006] conserver (2785): [tank-03] automatic reinitialization I turned off all of the buffering on the Cyclades, but I'm still hitting this. I seems like the cyclades can't handle the load from conserver. I'm running 39 of the 48 ports. Has anyone run into similar problems? I'm running the latest firmware from Cyclades. Nate From david.k.harris@siemens.com Thu Jul 13 12:25:30 2006 Received: from usnwk220srv.usa.siemens.com (usnwksmtp02e.usa.siemens.com [12.46.135.31]) by underdog.stansell.org (8.13.7/8.13.7) with ESMTP id k6DJPNS1016378 for ; Thu, 13 Jul 2006 12:25:29 -0700 (PDT) Received: from usnwk202a.ww017.siemens.net ([155.45.111.47]) by 172.16.1.36 with trend_isnt_name_B; Thu, 13 Jul 2006 12:25:39 -0700 Received: from USNWK102MSX.ww017.siemens.net ([155.45.111.56]) by usnwk202a.ww017.siemens.net with Microsoft SMTPSVC(6.0.3790.1830); Thu, 13 Jul 2006 12:25:22 -0700 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Subject: RE: Conserver managing Cyclades TS - Connection Reset by Peer Date: Thu, 13 Jul 2006 12:25:21 -0700 Message-ID: <2461A50AD2345646B1C4B3D7BA40B8E28B0391@USNWK102MSX.ww017.siemens.net> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Conserver managing Cyclades TS - Connection Reset by Peer Thread-Index: AcamsJD2ySH7kytDQI+yw1e74dE9SAAACvgw From: "Harris, David \(SBS US\)" To: "Nathan Straz" X-OriginalArrivalTime: 13 Jul 2006 19:25:22.0468 (UTC) FILETIME=[15ACE640:01C6A6B2] X-Spam-Score: -0.74 () BAYES_20 X-Scanned-By: MIMEDefang 2.57 on 209.182.219.30 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by underdog.stansell.org id k6DJPNS1016378 Cc: users@conserver.com X-BeenThere: users@conserver.com X-Mailman-Version: 2.1.8 Precedence: list List-Id: Conserver Users List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Jul 2006 19:25:31 -0000 Just to confirm... From the conserver host, you can telnet to the cyclades by IP address at port 7000+n, yes? (Just ensuring that routes are correct, and the Cyclades is set for reverse-tcp...) You are using curly-braces in the conserver.cf file, and there are no parenthesis masquerading as a bracket? You have semicolons in all of the config lines of the conserver.cf file, as seen in the example lines? -Zonker- -----Original Message----- From: users-bounces@conserver.com [mailto:users-bounces@conserver.com] On Behalf Of Nathan Straz Sent: Thursday, July 13, 2006 12:09 PM To: users@conserver.com Subject: Conserver managing Cyclades TS - Connection Reset by Peer I'm having a little trouble with my conserver setup and my Cyclades TS3000. I have a Linux server running conserver and I have it talking to the TS3000 with this config block: default cyclades-01 { type host; host cyclades-01; portbase 7000; portinc 1; rw *; } My console connections are hanging and I found a ton of these in the logs: [Thu Jul 13 13:54:30 2006] conserver (2787): ERROR: FileRead(): fd 9: Connection reset by peer [Thu Jul 13 13:54:30 2006] conserver (2787): ERROR: [taft-02] read failure: unexpected EOF [Thu Jul 13 13:54:30 2006] conserver (2787): [taft-02] automatic reinitialization [Thu Jul 13 14:02:42 2006] conserver (2785): ERROR: FileRead(): fd 35: Connection reset by peer [Thu Jul 13 14:02:42 2006] conserver (2785): ERROR: [tank-02] read failure: unexpected EOF [Thu Jul 13 14:02:42 2006] conserver (2785): [tank-02] automatic reinitialization [Thu Jul 13 14:02:43 2006] conserver (2785): ERROR: FileRead(): fd 33: Connection reset by peer [Thu Jul 13 14:02:43 2006] conserver (2785): ERROR: [tank-03] read failure: unexpected EOF [Thu Jul 13 14:02:43 2006] conserver (2785): [tank-03] automatic reinitialization I turned off all of the buffering on the Cyclades, but I'm still hitting this. I seems like the cyclades can't handle the load from conserver. I'm running 39 of the 48 ports. Has anyone run into similar problems? I'm running the latest firmware from Cyclades. Nate _______________________________________________ users mailing list users@conserver.com https://www.conserver.com/mailman/listinfo/users From nstraz@redhat.com Thu Jul 13 12:39:37 2006 Received: from mx1.redhat.com (mx1.redhat.com [66.187.233.31]) by underdog.stansell.org (8.13.7/8.13.7) with ESMTP id k6DJdV1i016494 for ; Thu, 13 Jul 2006 12:39:36 -0700 (PDT) Received: from int-mx1.corp.redhat.com (int-mx1.corp.redhat.com [172.16.52.254]) by mx1.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id k6DJdUhe015718 for ; Thu, 13 Jul 2006 15:39:30 -0400 Received: from tin.msp.redhat.com (tin.msp.redhat.com [10.15.80.50]) by int-mx1.corp.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id k6DJdUaK032756 for ; Thu, 13 Jul 2006 15:39:30 -0400 Received: by tin.msp.redhat.com (Postfix, from userid 10119) id 21DB618BB82; Thu, 13 Jul 2006 14:39:30 -0500 (CDT) Date: Thu, 13 Jul 2006 14:39:30 -0500 To: users@conserver.com Subject: Re: Conserver managing Cyclades TS - Connection Reset by Peer Message-ID: <20060713193929.GC20605@redhat.com> Mail-Followup-To: users@conserver.com References: <2461A50AD2345646B1C4B3D7BA40B8E28B0391@USNWK102MSX.ww017.siemens.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <2461A50AD2345646B1C4B3D7BA40B8E28B0391@USNWK102MSX.ww017.siemens.net> User-Agent: Mutt/1.5.11-2006-07-11 From: nstraz@redhat.com (Nathan Straz) X-Spam-Score: 0.001 () BAYES_50 X-Scanned-By: MIMEDefang 2.57 on 209.182.219.30 X-BeenThere: users@conserver.com X-Mailman-Version: 2.1.8 Precedence: list List-Id: Conserver Users List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Jul 2006 19:39:38 -0000 On Jul 13 12:25, Harris, David (SBS US) wrote: > Just to confirm... > > From the conserver host, you can telnet to the cyclades > by IP address at port 7000+n, yes? (Just ensuring that > routes are correct, and the Cyclades is set for reverse-tcp...) Yes, it can connect initially. But after a random amount of time the console hangs and it seems like the cyclades resets the connection. reverse-tcp... I'll have to look at that. While digging through the cyclades manual to find that I ran over all.protocol. Should that be set to socket_server or raw_data? > You are using curly-braces in the conserver.cf file, and > there are no parenthesis masquerading as a bracket? > You have semicolons in all of the config lines of the > conserver.cf file, as seen in the example lines? conserver is running without problems otherwise. Nate From david.k.harris@siemens.com Thu Jul 13 13:54:20 2006 Received: from usnwk221srv.usa.siemens.com (usnwksmtp03e.usa.siemens.com [12.46.135.32]) by underdog.stansell.org (8.13.7/8.13.7) with ESMTP id k6DKsDc1016979 for ; Thu, 13 Jul 2006 13:54:19 -0700 (PDT) Received: from usnwk202a.ww017.siemens.net ([155.45.111.47]) by 172.16.1.37 with trend_isnt_name_B; Thu, 13 Jul 2006 13:57:00 -0700 Received: from USNWK102MSX.ww017.siemens.net ([155.45.111.56]) by usnwk202a.ww017.siemens.net with Microsoft SMTPSVC(6.0.3790.1830); Thu, 13 Jul 2006 13:54:12 -0700 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Subject: RE: Conserver managing Cyclades TS - Connection Reset by Peer Date: Thu, 13 Jul 2006 13:54:12 -0700 Message-ID: <2461A50AD2345646B1C4B3D7BA40B8E28B0392@USNWK102MSX.ww017.siemens.net> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Conserver managing Cyclades TS - Connection Reset by Peer Thread-Index: AcamtnQv+wanPCjnSBK8PMxiDjT9cgAByh/Q From: "Harris, David \(SBS US\)" To: "Nathan Straz" X-OriginalArrivalTime: 13 Jul 2006 20:54:12.0478 (UTC) FILETIME=[7E9BE1E0:01C6A6BE] X-Spam-Score: -0.185 () BAYES_40 X-Scanned-By: MIMEDefang 2.57 on 209.182.219.30 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by underdog.stansell.org id k6DKsDc1016979 Cc: users@conserver.com X-BeenThere: users@conserver.com X-Mailman-Version: 2.1.8 Precedence: list List-Id: Conserver Users List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Jul 2006 20:54:21 -0000 Yes. All.protocol should be set to socket_server -Z- -----Original Message----- From: users-bounces On Behalf Of Nathan Straz Sent: Thursday, July 13, 2006 12:40 PM To: users@conserver.com Subject: Re: Conserver managing Cyclades TS - Connection Reset by Peer On Jul 13 12:25, Harris, David (SBS US) wrote: > Just to confirm... > > From the conserver host, you can telnet to the cyclades by IP > address at port 7000+n, yes? (Just ensuring that routes are correct, > and the Cyclades is set for reverse-tcp...) Yes, it can connect initially. But after a random amount of time the console hangs and it seems like the cyclades resets the connection. reverse-tcp... I'll have to look at that. While digging through the cyclades manual to find that I ran over all.protocol. Should that be set to socket_server or raw_data? > You are using curly-braces in the conserver.cf file, and there are > no parenthesis masquerading as a bracket? > You have semicolons in all of the config lines of the conserver.cf > file, as seen in the example lines? conserver is running without problems otherwise. Nate _______________________________________________ users mailing list users@conserver.com https://www.conserver.com/mailman/listinfo/users From lothian@cs.utk.edu Fri Jul 21 05:28:28 2006 Received: from shu.cs.utk.edu (shu.cs.utk.edu [160.36.56.39]) by underdog.stansell.org (8.13.7/8.13.7) with ESMTP id k6LCSMLk006785 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Fri, 21 Jul 2006 05:28:28 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by shu.cs.utk.edu (Postfix) with ESMTP id E541656436 for ; Fri, 21 Jul 2006 08:27:44 -0400 (EDT) X-Virus-Scanned: by amavisd-new with ClamAV and SpamAssasin at cs.utk.edu Received: from shu.cs.utk.edu ([127.0.0.1]) by localhost (shu.cs.utk.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NkthA9QTmmiu; Fri, 21 Jul 2006 08:27:40 -0400 (EDT) Received: from woodchuck.cs.utk.edu (woodchuck.cs.utk.edu [160.36.58.170]) by shu.cs.utk.edu (Postfix) with ESMTP id 98FA35641D; Fri, 21 Jul 2006 08:27:40 -0400 (EDT) Received: by woodchuck.cs.utk.edu (Postfix, from userid 2861) id 6B6B7BE2C; Fri, 21 Jul 2006 08:28:16 -0400 (EDT) Date: Fri, 21 Jul 2006 08:28:16 -0400 From: Josh Lothian To: users@conserver.com Subject: using one time passwords with conserver? Message-ID: <20060721122816.GA18652@woodchuck.cs.utk.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.9i X-Spam-Score: 0.001 () BAYES_50 X-Scanned-By: MIMEDefang 2.57 on 209.182.219.30 X-BeenThere: users@conserver.com X-Mailman-Version: 2.1.8 Precedence: list List-Id: Conserver Users List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Jul 2006 12:28:29 -0000 We're using RSA SecurID fobs here for all sorts of authentication. We'd like to use them with conserver via PAM. However, looking at the logs, it seems like conserver is trying to authenticate twice in quick succession. The first one succeeds, but the second one fails - hence the "one time" password. Any way to disable this? -jkl From bryan@stansell.org Sun Jul 23 09:03:34 2006 Received: from underdog.stansell.org (localhost [127.0.0.1]) by underdog.stansell.org (8.13.7/8.13.7) with ESMTP id k6NG3YB4010927 for ; Sun, 23 Jul 2006 09:03:34 -0700 (PDT) Received: (from bryan@localhost) by underdog.stansell.org (8.13.7/8.13.7/Submit) id k6NG3YDe010926 for users@conserver.com; Sun, 23 Jul 2006 09:03:34 -0700 (PDT) Date: Sun, 23 Jul 2006 09:03:34 -0700 From: Bryan Stansell To: users@conserver.com Subject: Re: using one time passwords with conserver? Message-ID: <20060723160334.GR24852@underdog.stansell.org> References: <20060721122816.GA18652@woodchuck.cs.utk.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20060721122816.GA18652@woodchuck.cs.utk.edu> User-Agent: Mutt/1.4.2.1i X-Scanned-By: MIMEDefang 2.57 on 209.182.219.30 X-BeenThere: users@conserver.com X-Mailman-Version: 2.1.8 Precedence: list List-Id: Conserver Users List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Jul 2006 16:03:35 -0000 hmm...well, that's kinda tricky. the issue is that there are multiple conserver process that the client talks to (the master, then the actual one managing the console - in the simplest form). the client actually caches the password so that it can re-authenticate with the extra processes without harassing the user. in your case, you should be getting multiple password requests, right? you'd authenticate with the first, conserver would try and re-use the password with the second, fail, and then ask for the current password. removing the need for multiple passwords *might* be possible. i could see removing the need for authenticating against the master process...just have it skip password stuff (which means removing a few lines of code) and let the user authenticate once against the process managing the console. this would allow folks to gather data...so not something i'd do for the general release (well, maybe as an option), but you may not like that either. another possibility is to setup a "console" host that does nothing but allow folks to access conserver (it could even be the same box). when a user logs in, instead of a shell, you get a console command that attaches to some pre-determined console. how does this help? well, you turn off all authentication in conserver and can assume that anyone attaching has already authenticated with the host, so they should be who they say they are. and, actually, you could create a "noop" console that they all fall into by default, and then they just need to use "^ec;" to switch to another console. kinda different, but doable, in my opinion. it's not a 100% solution, but it's close (in addition i'd say they should all be "limited" users (in conserver.cf terms), but then you wouldn't be able to switch consoles). aside from that, i'm not sure what else to offer. Bryan On Fri, Jul 21, 2006 at 08:28:16AM -0400, Josh Lothian wrote: > We're using RSA SecurID fobs here for all sorts of authentication. We'd > like to use them with conserver via PAM. However, looking at the logs, > it seems like conserver is trying to authenticate twice in quick > succession. The first one succeeds, but the second one fails - hence > the "one time" password. Any way to disable this? > > -jkl > _______________________________________________ > users mailing list > users@conserver.com > https://www.conserver.com/mailman/listinfo/users From cfowler@outpostsentinel.com Sun Jul 23 10:27:01 2006 Received: from www.linuxiceberg.com (66-23-224-81.clients.speedfactory.net [66.23.224.81]) by underdog.stansell.org (8.13.7/8.13.7) with ESMTP id k6NHQsEJ011427 for ; Sun, 23 Jul 2006 10:27:00 -0700 (PDT) Received: from [192.168.1.115] (shuttle.linxdev.com [192.168.1.115]) by www.linuxiceberg.com (8.11.6/8.11.6) with ESMTP id k6NHRRv01976 for ; Sun, 23 Jul 2006 13:27:27 -0400 Subject: Re: using one time passwords with conserver? From: Christopher Fowler To: users@conserver.com In-Reply-To: <20060723160334.GR24852@underdog.stansell.org> References: <20060721122816.GA18652@woodchuck.cs.utk.edu> <20060723160334.GR24852@underdog.stansell.org> Content-Type: text/plain Date: Sun, 23 Jul 2006 13:26:52 -0400 Message-Id: <1153675612.17073.172.camel@shuttle.linxdev.com> Mime-Version: 1.0 X-Mailer: Evolution 2.0.4 (2.0.4-7) Content-Transfer-Encoding: 7bit X-Spam-Score: 0.001 () BAYES_50 X-Scanned-By: MIMEDefang 2.57 on 209.182.219.30 X-BeenThere: users@conserver.com X-Mailman-Version: 2.1.8 Precedence: list List-Id: Conserver Users List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Jul 2006 17:27:02 -0000 How does SecureID work with conserver? Does the console client ask for the number on the card? On Sun, 2006-07-23 at 09:03 -0700, Bryan Stansell wrote: > hmm...well, that's kinda tricky. the issue is that there are multiple > conserver process that the client talks to (the master, then the actual > one managing the console - in the simplest form). the client actually > caches the password so that it can re-authenticate with the extra > processes without harassing the user. in your case, you should be > getting multiple password requests, right? you'd authenticate with the > first, conserver would try and re-use the password with the second, > fail, and then ask for the current password. > > removing the need for multiple passwords *might* be possible. i could > see removing the need for authenticating against the master > process...just have it skip password stuff (which means removing a few > lines of code) and let the user authenticate once against the process > managing the console. this would allow folks to gather data...so not > something i'd do for the general release (well, maybe as an option), but > you may not like that either. > > another possibility is to setup a "console" host that does nothing but > allow folks to access conserver (it could even be the same box). when a > user logs in, instead of a shell, you get a console command that > attaches to some pre-determined console. how does this help? well, you > turn off all authentication in conserver and can assume that anyone > attaching has already authenticated with the host, so they should be who > they say they are. and, actually, you could create a "noop" console > that they all fall into by default, and then they just need to use > "^ec;" to switch to another console. kinda different, but doable, in my > opinion. it's not a 100% solution, but it's close (in addition i'd say > they should all be "limited" users (in conserver.cf terms), but then you > wouldn't be able to switch consoles). > > aside from that, i'm not sure what else to offer. > > Bryan > > On Fri, Jul 21, 2006 at 08:28:16AM -0400, Josh Lothian wrote: > > We're using RSA SecurID fobs here for all sorts of authentication. We'd > > like to use them with conserver via PAM. However, looking at the logs, > > it seems like conserver is trying to authenticate twice in quick > > succession. The first one succeeds, but the second one fails - hence > > the "one time" password. Any way to disable this? > > > > -jkl > > _______________________________________________ > > users mailing list > > users@conserver.com > > https://www.conserver.com/mailman/listinfo/users > _______________________________________________ > users mailing list > users@conserver.com > https://www.conserver.com/mailman/listinfo/users From lothian@cs.utk.edu Tue Jul 25 06:14:13 2006 Received: from bes.cs.utk.edu (bes.cs.utk.edu [160.36.56.220]) by underdog.stansell.org (8.13.7/8.13.7) with ESMTP id k6PDE5GM011704 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 25 Jul 2006 06:14:11 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by bes.cs.utk.edu (Postfix) with ESMTP id 99D47FCBB; Tue, 25 Jul 2006 09:13:06 -0400 (EDT) X-Virus-Scanned: by amavisd-new with ClamAV and SpamAssasin at cs.utk.edu Received: from bes.cs.utk.edu ([127.0.0.1]) by localhost (bes.cs.utk.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tT8WHHz15e8g; Tue, 25 Jul 2006 09:13:04 -0400 (EDT) Received: from woodchuck.cs.utk.edu (woodchuck.cs.utk.edu [160.36.58.170]) by bes.cs.utk.edu (Postfix) with ESMTP id C91F2FCBA; Tue, 25 Jul 2006 09:12:59 -0400 (EDT) Received: by woodchuck.cs.utk.edu (Postfix, from userid 2861) id 8AE7FBE2C; Tue, 25 Jul 2006 09:13:57 -0400 (EDT) Date: Tue, 25 Jul 2006 09:13:57 -0400 From: Josh Lothian To: Bryan Stansell Subject: Re: using one time passwords with conserver? Message-ID: <20060725131357.GA1372@woodchuck.cs.utk.edu> References: <20060721122816.GA18652@woodchuck.cs.utk.edu> <20060723160334.GR24852@underdog.stansell.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20060723160334.GR24852@underdog.stansell.org> User-Agent: Mutt/1.5.9i X-Spam-Score: 0.001 () BAYES_50 X-Scanned-By: MIMEDefang 2.57 on 209.182.219.30 Cc: users@conserver.com X-BeenThere: users@conserver.com X-Mailman-Version: 2.1.8 Precedence: list List-Id: Conserver Users List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Jul 2006 13:14:14 -0000 On Sun, Jul 23, 2006 at 09:03:34AM -0700, Bryan Stansell wrote: > hmm...well, that's kinda tricky. the issue is that there are multiple > conserver process that the client talks to (the master, then the actual > one managing the console - in the simplest form). the client actually > caches the password so that it can re-authenticate with the extra > processes without harassing the user. in your case, you should be > getting multiple password requests, right? you'd authenticate with the > first, conserver would try and re-use the password with the second, > fail, and then ask for the current password. yep, exactly. > removing the need for multiple passwords *might* be possible. i could > see removing the need for authenticating against the master > process...just have it skip password stuff (which means removing a few > lines of code) and let the user authenticate once against the process > managing the console. this would allow folks to gather data...so not > something i'd do for the general release (well, maybe as an option), but > you may not like that either. What sort of data could they gather? > another possibility is to setup a "console" host that does nothing but > allow folks to access conserver (it could even be the same box). when a > user logs in, instead of a shell, you get a console command that > attaches to some pre-determined console. how does this help? well, you > turn off all authentication in conserver and can assume that anyone > attaching has already authenticated with the host, so they should be who > they say they are. and, actually, you could create a "noop" console > that they all fall into by default, and then they just need to use > "^ec;" to switch to another console. kinda different, but doable, in my > opinion. it's not a 100% solution, but it's close (in addition i'd say > they should all be "limited" users (in conserver.cf terms), but then you > wouldn't be able to switch consoles). This is kinda what we have going currently, but it's not ideal. People other than our admin staff have access to the conserver host. Some of the admins would also like to not have to log in to that host and instead use the conserver client from their desktop. From bryan@stansell.org Tue Jul 25 15:25:53 2006 Received: from underdog.stansell.org (localhost [127.0.0.1]) by underdog.stansell.org (8.13.7/8.13.7) with ESMTP id k6PMPrg1015291 for ; Tue, 25 Jul 2006 15:25:53 -0700 (PDT) Received: (from bryan@localhost) by underdog.stansell.org (8.13.7/8.13.7/Submit) id k6PMPrKp015290 for users@conserver.com; Tue, 25 Jul 2006 15:25:53 -0700 (PDT) Date: Tue, 25 Jul 2006 15:25:52 -0700 From: Bryan Stansell Cc: users@conserver.com Subject: Re: using one time passwords with conserver? Message-ID: <20060725222552.GA16251@underdog.stansell.org> References: <20060721122816.GA18652@woodchuck.cs.utk.edu> <20060723160334.GR24852@underdog.stansell.org> <20060725131357.GA1372@woodchuck.cs.utk.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20060725131357.GA1372@woodchuck.cs.utk.edu> User-Agent: Mutt/1.4.2.1i X-Scanned-By: MIMEDefang 2.57 on 209.182.219.30 X-BeenThere: users@conserver.com X-Mailman-Version: 2.1.8 Precedence: list List-Id: Conserver Users List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Jul 2006 22:25:54 -0000 On Tue, Jul 25, 2006 at 09:13:57AM -0400, Josh Lothian wrote: > > removing the need for multiple passwords *might* be possible. i could > > see removing the need for authenticating against the master > > process...just have it skip password stuff (which means removing a few > > lines of code) and let the user authenticate once against the process > > managing the console. this would allow folks to gather data...so not > > something i'd do for the general release (well, maybe as an option), but > > you may not like that either. > > What sort of data could they gather? well, the port numbers of the sub-processes, the list of conserver hosts, the pid, and version. you also wouldn't be able to restart, reload, quit, etc since no authentication had been done (using the client...you could always send the signals). > This is kinda what we have going currently, but it's not ideal. People > other than our admin staff have access to the conserver host. Some of > the admins would also like to not have to log in to that host and > instead use the conserver client from their desktop. well, i'm out of ideas for now. having conserver send the client some sort of "token" that allows you in without authentication might be necessary...but then you might as well just tell securid to grant every number a 2 second, multi-use window. neither are secure. if you're using ssl to encrypt things, at least you'd be fairly sure no one could pick the data off the line and then use it to gain access. but that doesn't make me feel much better. i'm beginning to believe there isn't really any nice way to handle this without conserver being rewritten to be a single-process (threaded?) system...and that too has it's challenges. anyone out there good at thinking outside the box? ;-) Bryan From rkirkpat@rkirkpat.net Wed Jul 26 06:15:50 2006 Received: from saratoga.rkirkpat.net (saratoga.rkirkpat.net [206.196.156.29]) by underdog.stansell.org (8.13.7/8.13.7) with ESMTP id k6QDFhti027666 for ; Wed, 26 Jul 2006 06:15:49 -0700 (PDT) Received: from magellan.rkirkpat.net (magellan.rkirkpat.net [192.168.7.3]) by saratoga.rkirkpat.net (Postfix) with ESMTP id 2141871E0A for ; Wed, 26 Jul 2006 07:15:34 -0600 (MDT) Received: by magellan.rkirkpat.net (Postfix, from userid 1000) id BC31F9D83B; Wed, 26 Jul 2006 07:15:33 -0600 (MDT) Received: from localhost (localhost [127.0.0.1]) by magellan.rkirkpat.net (Postfix) with ESMTP id AE45E13AA6 for ; Wed, 26 Jul 2006 07:15:33 -0600 (MDT) Date: Wed, 26 Jul 2006 07:15:33 -0600 (MDT) From: Ryan Kirkpatrick X-Sender: rkirkpat@magellan.rkirkpat.net To: users@conserver.com Subject: Re: using one time passwords with conserver? In-Reply-To: <20060725222552.GA16251@underdog.stansell.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Spam-Score: -0.185 () BAYES_40 X-Scanned-By: MIMEDefang 2.57 on 209.182.219.30 X-BeenThere: users@conserver.com X-Mailman-Version: 2.1.8 Precedence: list List-Id: Conserver Users List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Jul 2006 13:15:51 -0000 On Tue, 25 Jul 2006, Bryan Stansell wrote: > anyone out there good at thinking outside the box? ;-) While I don't need one-time passwords, I did want secure access to my conserver without having to enter passwords. My solution was to restrict accesst to conserver to only the local machine running conserver (i.e. only loopback allowed to connected), but trust usernames and not require passwords. Then to access the machine I use per-user SSH accounts, with public keys on the conserver machine, and private keys plus ssh-agent on the end-user machine. The conserver config excerpt is something like this: ------------------------------------------------------------------------- # Establish access control. access * { # Only allow connections from this machine. trusted localhost,console; } ------------------------------------------------------------------------- To avoid the annoyance factor of having to 'ssh' and then 'console', I wrote the following shell script for the end-user machines, named /usr/local/bin/console: -------------------------------------------------------------------------- #!/bin/bash # Open a psuedo terminal with SSH on the console server and run console # there. ssh -t farstar console $* -------------------------------------------------------------------------- Where 'farstar' is the hostname of the conserver machine. This passes all parameters to console on that machine, and pretty much makes the SSH connection transparent. Only if you are trying to do some advanced piping/scripting/local file access with the console client does it break down. As an added bonus, the console session, as it passes over the network, is encrypted like any SSH shell session. And using PAM, any desired authentication method could be used in place of SSH's private/public keys. For multiple system conservers, you can configure the other machines to only accept console connections from the master server that the end-user will SSH into. Though be aware that the console session from the master to the other server is not encrypted (unless conserver SSL is enabled). Hopefully this will be of use or at least provide ideas. TTYL. --------------------------------------------------------------------------- | "For to me to live is Christ, and to die is gain." | | --- Philippians 1:21 (KJV) | --------------------------------------------------------------------------- | Ryan Kirkpatrick | Boulder, Colorado | http://www.rkirkpat.net/ | --------------------------------------------------------------------------- From arnold.de.leon@gmail.com Wed Jul 26 09:07:27 2006 Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.177]) by underdog.stansell.org (8.13.7/8.13.7) with ESMTP id k6QG7K6A028845 for ; Wed, 26 Jul 2006 09:07:26 -0700 (PDT) Received: by py-out-1112.google.com with SMTP id i75so2111933pye for ; Wed, 26 Jul 2006 09:07:18 -0700 (PDT) Received: by 10.35.100.6 with SMTP id c6mr11522371pym; Wed, 26 Jul 2006 09:07:17 -0700 (PDT) Received: by 10.35.90.6 with HTTP; Wed, 26 Jul 2006 09:07:17 -0700 (PDT) Message-ID: <3e9a6fd20607260907y1c6febbctffb3d66547e81363@mail.gmail.com> Date: Wed, 26 Jul 2006 09:07:17 -0700 From: "Arnold de Leon" Sender: arnold.de.leon@gmail.com To: users@conserver.com Subject: Re: using one time passwords with conserver? In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <20060725222552.GA16251@underdog.stansell.org> X-Google-Sender-Auth: e62172895ab6bdbc X-Spam-Score: -0.74 () BAYES_20 X-Scanned-By: MIMEDefang 2.57 on 209.182.219.30 X-BeenThere: users@conserver.com X-Mailman-Version: 2.1.8 Precedence: list List-Id: Conserver Users List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Jul 2006 16:07:28 -0000 On 7/26/06, Ryan Kirkpatrick wrote: > On Tue, 25 Jul 2006, Bryan Stansell wrote: > > > anyone out there good at thinking outside the box? ;-) > > While I don't need one-time passwords, I did want secure access to my > conserver without having to enter passwords. My solution was to restrict > accesst to conserver to only the local machine running conserver (i.e. > only loopback allowed to connected), but trust usernames and not require > passwords. Then to access the machine I use per-user SSH accounts, with > public keys on the conserver machine, and private keys plus ssh-agent on > the end-user machine. The conserver config excerpt is something like this: > > ------------------------------------------------------------------------- > # Establish access control. > access * { > # Only allow connections from this machine. > trusted localhost,console; > } > ------------------------------------------------------------------------- > > To avoid the annoyance factor of having to 'ssh' and then 'console', I > wrote the following shell script for the end-user machines, named > /usr/local/bin/console: > [script deleted] This is similar to how we are planning on deploying conserver. We didn't want to have to distribute a client/script and so we are thinking of a ways around that issue. One idea we was to make create a script on the "conserver" master and link each console name to it so one can type: % ssh conserver some-machine Maintaining the links would probably need another script. Console name completion is broken but power conserver user can always type: # ssh conserver console . . . The really wild idea is to glue sshd to the conserver program and get rid of the client all together and simply run conserver as an ssh server. For the really smooth installation an extra IP address would be given to the conserver master so it can listen on the default ssh port. Then if you make the name "console" point to that IP address you can type: % ssh console some-machine Just like in the previous example but it should be possible to have conserver process the rest of the arguments so all the console client magic can happen. We only got as far as the idea stage so there are probably gotcha's that haven't been worked out. [more good stuff deleted] Out of the box enough for you Bryan? ;-) arnold From windsor@warthog.com Wed Jul 26 09:53:45 2006 Received: from warthog.com (warthog.com [206.132.88.205]) by underdog.stansell.org (8.13.7/8.13.7) with ESMTP id k6QGrcMC029136 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for ; Wed, 26 Jul 2006 09:53:44 -0700 (PDT) Received: from [127.0.0.1] (localhost [127.0.0.1]) (authenticated bits=0) by warthog.com (8.12.11/8.12.11) with ESMTP id k6QGrXxo027963 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Wed, 26 Jul 2006 11:53:35 -0500 (CDT) Message-ID: <44C79E0D.2030607@warthog.com> Date: Wed, 26 Jul 2006 11:53:33 -0500 From: Rob Windsor User-Agent: Thunderbird 1.5.0.4 (Windows/20060516) MIME-Version: 1.0 To: users@conserver.com Subject: Re: clientless conserver References: <20060725222552.GA16251@underdog.stansell.org> <3e9a6fd20607260907y1c6febbctffb3d66547e81363@mail.gmail.com> In-Reply-To: <3e9a6fd20607260907y1c6febbctffb3d66547e81363@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Score: 0.001 () BAYES_50 X-Scanned-By: MIMEDefang 2.57 on 209.182.219.30 X-BeenThere: users@conserver.com X-Mailman-Version: 2.1.8 Precedence: list List-Id: Conserver Users List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Jul 2006 16:53:46 -0000 Arnold de Leon wrote: > % ssh console some-machine > > Just like in the previous example but it should be possible to have > conserver process the rest of the arguments so all the console client > magic can happen. We only got as far as the idea stage so there are > probably gotcha's that haven't been worked out. > > [more good stuff deleted] > > Out of the box enough for you Bryan? ;-) Digi makes a box that is a PPC with embedded-linux and runs sshd. That's Pretty Damn Close to what Arnold is describing. :) So.. anyone have some friends at Digi? Rob++ -- Internet: windsor@warthog.com __o Life: Rob@Carrollton.Texas.USA.Earth _`\<,_ (_)/ (_) "They couldn't hit an elephant at this distance." -- Major General John Sedgwick From bmath@xsigo.com Wed Jul 26 11:36:41 2006 Received: from red.xsigo.com (nat0.xsigo.com [216.184.48.10]) by underdog.stansell.org (8.13.7/8.13.7) with ESMTP id k6QIaYpE029873 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Wed, 26 Jul 2006 11:36:40 -0700 (PDT) Received: from red.xsigo.com (localhost [127.0.0.1]) by red.xsigo.com (8.13.1/8.13.1) with ESMTP id k6QIaWvf003577; Wed, 26 Jul 2006 11:36:32 -0700 Message-Id: <200607261836.k6QIaWvf003577@red.xsigo.com> To: "Arnold de Leon" Subject: Re: using one time passwords with conserver? In-reply-to: <3e9a6fd20607260907y1c6febbctffb3d66547e81363@mail.gmail.com> References: <20060725222552.GA16251@underdog.stansell.org> <3e9a6fd20607260907y1c6febbctffb3d66547e81363@mail.gmail.com> Comments: In-reply-to "Arnold de Leon" message dated "Wed, 26 Jul 2006 09:07:17 -0700." X-Mailer: MH-E 7.4.80+cvs; nmh 1.1-RC4; GNU Emacs 21.3.1 Date: Wed, 26 Jul 2006 11:36:32 -0700 From: Brian Matheson X-Spam-Score: -0.185 () BAYES_40 X-Scanned-By: MIMEDefang 2.57 on 209.182.219.30 Cc: users@conserver.com X-BeenThere: users@conserver.com X-Mailman-Version: 2.1.8 Precedence: list List-Id: Conserver Users List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Jul 2006 18:36:42 -0000 Arnold de Leon wrote: > The really wild idea is to glue sshd to the conserver program and get > rid of the client all together and simply run conserver as an ssh > server. For the really smooth installation an extra IP address would > be given to the conserver master so it can listen on the default ssh > port. Then if you make the name "console" point to that IP address > you can type: > > % ssh console some-machine I've set up something similar to this using xinetd and telnet. My goal was to make conserver work the same way that, for example, a cisco 2511 with an ip aliase for each async port works. Users can telnet to an address (usually a hostname-con the way we do it here), and the remote server system with that address configured on it will fire up 'console' with the appropriate arguments to connect to the destination system. Usernames are either passed through the telnet protocol, or queried for in a little wrapper. In my implementation, there's no security at all, and all of the processes run as a special console user whose login shell has some of the magic glue to pass info to console. You could probably (ab)use sshd in a way that's similar to the way I'm using in.telnetd to provide encryption, authentication, and username exposure. Anyway, it seems to work well, but there are bugs and annoyances. At the moment I have about 150 consoles set up this way, maybe 1/4 of them in use at any given time. If you're interested, I could probably clean things up a bit and pass it on. Cheers, Brian From fredjame@fredjame.cnc.net Fri Jul 28 13:56:57 2006 Received: from alnrmhc11.comcast.net (alnrmhc14.comcast.net [206.18.177.54]) by underdog.stansell.org (8.13.7/8.13.7) with ESMTP id k6SKuphk002508 for ; Fri, 28 Jul 2006 13:56:56 -0700 (PDT) Received: from [10.200.20.108] (failure[65.247.175.103]) by comcast.net (alnrmhc14) with ESMTP id <20060728205650b14003hgu8e>; Fri, 28 Jul 2006 20:56:50 +0000 Message-ID: <44CA79E2.6080502@fredjame.cnc.net> Date: Fri, 28 Jul 2006 15:56:02 -0500 From: Fred James User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.6) Gecko/20050319 X-Accept-Language: en-us, en MIME-Version: 1.0 To: users@conserver.com Subject: new user Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Score: 0.001 () BAYES_50 X-Scanned-By: MIMEDefang 2.57 on 209.182.219.30 X-BeenThere: users@conserver.com X-Mailman-Version: 2.1.8 Precedence: list List-Id: Conserver Users List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Jul 2006 20:56:58 -0000 All I have installed conserver on an old with a couple of extra PCI serial ports installed - no errors so far, though I haven't connected to any of my servers as yet. Are the man pages the best documentation on conserver, or can you point me in another direction, please? Thank you in advance for any help you may be able to offer Regards Fred James Detail: HP Pavilion 6630 - Celeron 500MHz, 128 MB memory one serial port on board two serial ports on PCI (one more to add as soon as I can find it). Mandrake Linux 9.1