[Date Prev] [Date Index] [Date Next] [Thread Prev] [Thread Index] [Thread Next]

Re: using one time passwords with conserver?

Ryan Kirkpatrick linux@rkirkpat.net
Wed, 26 Jul 2006 06:15:49 -0700 (PDT) 

On Tue, 25 Jul 2006, Bryan Stansell wrote:

> anyone out there good at thinking outside the box?  ;-)

While I don't need one-time passwords, I did want secure access to my
conserver without having to enter passwords. My solution was to restrict
accesst to conserver to only the local machine running conserver (i.e.
only loopback allowed to connected), but trust usernames and not require
passwords. Then to access the machine I use per-user SSH accounts, with
public keys on the conserver machine, and private keys plus ssh-agent on
the end-user machine. The conserver config excerpt is something like this:

-------------------------------------------------------------------------
# Establish access control.
access * {
  # Only allow connections from this machine.
  trusted localhost,console;
}
-------------------------------------------------------------------------

To avoid the annoyance factor of having to 'ssh' and then 'console', I
wrote the following shell script for the end-user machines, named
/usr/local/bin/console:

--------------------------------------------------------------------------
#!/bin/bash

# Open a psuedo terminal with SSH on the console server and run console
#   there.
ssh -t farstar console $*
--------------------------------------------------------------------------

Where 'farstar' is the hostname of the conserver machine. This passes all
parameters to console on that machine, and pretty much makes the SSH
connection transparent. Only if you are trying to do some advanced
piping/scripting/local file access with the console client does it break
down. 

As an added bonus, the console session, as it passes over the network, is
encrypted like any SSH shell session. And using PAM, any desired
authentication method could be used in place of SSH's private/public keys.

For multiple system conservers, you can configure the other machines to
only accept console connections from the master server that the end-user
will SSH into. Though be aware that the console session from the master to
the other server is not encrypted (unless conserver SSL is enabled).

Hopefully this will be of use or at least provide ideas. TTYL.

---------------------------------------------------------------------------
|   "For to me to live is Christ, and to die is gain."                    |
|                                            --- Philippians 1:21 (KJV)   |
---------------------------------------------------------------------------
|   Ryan Kirkpatrick  |  Boulder, Colorado  |  http://www.rkirkpat.net/   |
---------------------------------------------------------------------------