[Date Prev] [Date Index] [Date Next] [Thread Prev] [Thread Index] [Thread Next]

Re: How to pass console username to Cyclades username ?

Michael Redinger Michael.Redinger@uibk.ac.at
Sun, 17 Jun 2007 04:00:02 -0700 (PDT)


here is how we use conserver together with conserver - without passing the usernames (your second solution):

- configure the Cyclades server to accept hostbased authentication
  from your conserver host.
- you might want to configure the Cyclades firewall to restrict ssh
  logins to your conserver server.
- do not pass the user from conserver to the cyclades server. Instead,
  always use one user (and hostbased authentication).
- configure conserver to use PAM.
- configure conserver to connect to the appropriate ssh port for each
  system. (We do not use names for the ports because we found it is a
  better idea to keep the console servers as dumb as possible and do all
  the configuration on the conserver system. If you have many console
  servers, this is the best way to keep a clean configuration.)

default casssh {
        type exec;
        exec /usr/local/bin/cssh P H;
        execsubst P=pd,H=hs;

console myserver {
        port 1;
        include casssh;
        host mycycladesserver;

ssh -2 -q -x -t root:ttyS${PORT}@${TERMSRV}

Greetings, Michael

Jesper Frank Nemholt schrieb:

We have Cyclades ACS installed, accessible via SSH, and I'd like to
centralize the connection point to them via Conserver instead of the
current solution (a shell script doing roughly the same as Conserver but
with many limits).

The Cyclades are setup with username/password access on their own.

As I haven't used Conserver for a long time, I'm somewhat behind with the
features offered.

I see currently two possible solutions for me :

1. Keep the Cyclades as they are (with their own user validation) and use
Conserver just as gateway. For this, I'd prefer to have it configured so
Conserver itself doesn't authorize users but just pass them on to the
right console (where they're then authorized by the Cyclades).
Can this be done without any security issues with Conserver ?

2. Change the Cyclades configuration so they don't validate, or validate
to a specific user known by Conserver, thus Conserver maintain connections
established to all servers connected to the Cyclades and take care of all
I suppose I can limit the access at the same time on the Cyclades with TCP
wrappers, so only the Conserver server(s) gets access.
The benefit with this is that I get the user administration away from the
Cyclades and into the UNIX servers where password are sync'ed, thus the
admins don't need to maintain their passwords on the Cyclades but can use
the standard company one as used in Windows logon.

For solution 1, apart from setting up Conserver so it doesn't validate all
users but trust (based upon where they come from/whatever), I have one
small problem :

The Cyclades validate per username, and I'd like that the username people
use for console (console -l username) is passed to the Cyclades, however I
don't know exactly how to do this on the conserver.cf.
What the Cyclades expect is a resulting SSH command line like this :

ssh -l username:portnumber hostname-of-cyclades

The portnumber & hostname of the cyclades is easy, but I don't know how to
pass the username. Anyone ?
Below is an example of what I have currently.

Apart from all this, I'd be happy to get some suggestion regarding best
practises on Conserver+Cyclades.
We have 16 of them, all 48 port and spread around the world in different

default bboxb05 { type exec; host fubar-cyclade; exec /usr/bin/ssh -l username:P H; execsubst H=hs,P=Pd; portbase 7000; portinc 1; }

default ilo-rc {
        type exec;
        exec /usr/bin/ssh -l foo H;
        execsubst H=hs,P=Pd;

console fubar1        { include bboxb05; port 41; }
console fubar2        { include bboxb05; port 26; }
console fubar1-ilo    { include ilo-rc; host fubar1rb; }

_______________________________________________ users mailing list users@conserver.com https://www.conserver.com/mailman/listinfo/users

Michael Redinger
Zentraler Informatikdienst (Central IT Services)
Universitaet Innsbruck
Technikerstrasse 13                    Tel.: ++43 512 507 2335
6020 Innsbruck                         Fax.: ++43 512 507 949 02335
Austria                                Mail: Michael.Redinger@uibk.ac.at
BB98 D2FE 0F2C 2658 3780  3CB1 0FD7 A9D9 65C2 C11D