[Date Prev] [Date Index] [Date Next] [Thread Prev] [Thread Index] [Thread Next]

Re: using one time passwords with conserver?

Brian Matheson bmath@xsigo.com
Wed, 26 Jul 2006 11:36:40 -0700 (PDT)

Arnold de Leon <a-conserver@deleons.com> wrote:

> The really wild idea is to glue sshd to the conserver program and get
> rid of the client all together and simply run conserver as an ssh
> server.  For the really smooth installation an extra IP address would
> be given to the conserver master so it can listen on the default ssh
> port.  Then if you make the name "console" point to that IP address
> you can type:
>   % ssh console some-machine

I've set up something similar to this using xinetd and telnet.  

My goal was to make conserver work the same way that, for example, a
cisco 2511 with an ip aliase for each async port works.  Users can
telnet to an address (usually a hostname-con the way we do it here), and
the remote server system with that address configured on it will fire up
'console' with the appropriate arguments to connect to the destination
system.  Usernames are either passed through the telnet protocol, or
queried for in a little wrapper.

In my implementation, there's no security at all, and all of the
processes run as a special console user whose login shell has some of
the magic glue to pass info to console.  You could probably (ab)use sshd
in a way that's similar to the way I'm using in.telnetd to provide
encryption, authentication, and username exposure.

Anyway, it seems to work well, but there are bugs and annoyances.  At
the moment I have about 150 consoles set up this way, maybe 1/4 of them
in use at any given time.  If you're interested, I could probably clean
things up a bit and pass it on.