[Date Prev] [Date Index] [Date Next] [Thread Prev] [Thread Index] [Thread Next]

Re: initial console connection requires authentication

Ken Schumacher kschu@fnal.gov
Fri, 18 Jan 2008 11:52:50 -0800 (PST)


I will go back to the manual and look at this again. But I will tell you up front that I have been trying to configure conserver to use the RFC-2217 protocol and I am getting the login prompts. I have assumed this request to authenticate was coming from the Opengear.

I have a private LAN segment which is used for all the console management and power management functions. Fermilab has quite strict requirements as to the types of security that must be in place on any network login. Basically any network connection which would allow someone to get to a shell or command-line prompt must be kerberized. So the Opengear is kept on the private segment. And I fully trust that anyone who can log into the node running a conserver daemon is properly authenticated. So any host that can communicate with the Opengear is a trusted host.

I got e-mail replies from Zonker and Lisa (Thank you both!). I had hoped that I could configure the Opengear without having to define a list of trusted users or adding individual SSH keys. I will go back and look at section 15.6 again and see what I can do with that.

I'll post a summary/update when I get this all worked out.

Thanks for the help.
Ken Schumacher

Peter Hunt wrote:
Hi Lisa and Ken,

Sorry for sleeping at the wheel, holidays are taking there toll.

Lisa's solution is the recommended way of avoiding interactive logins and there are detailed instructions in the User Manual: ftp://ftp.opengear.com/manual/IMG-IM-CM4000%20User%20Manual3.1.pdf

Section 15.6, essentially its identical to Public Key setup on vanilla Linux however some of the directories and files live in different places on our embedded FS.

The dirty work-around is to not use Telnet but RFC-2217 which is a super-set of the Telnet protocol usually meant for controlling serial port settings over a network. This will mean your TCP port will change (by default) from 2000 + the serial port to 5000 + the serial port but you will not need to authenticate. (It is highly recommended if you go down this path to restrict access to those TCP ports with the iptables (You can use the Trusted Network configuration to achieve this). The draw back of RFC2217 usage is that your sessions will be restricted to 1 user per port concurrently.

Hope that helps and apologies for the delay, Zonker alerted me.


Lisa Doherty wrote:

I solved my problem by adding the ssh public key of the user running the conserver process on my conserver host to the Opengear terminal server. As an example, if I have a host named foo, and foo has conserver running as user bar, then I add bar's id_dsa.pub to the Opengear terminal server /etc/config/users/conserver/.ssh/authorized_keys file.

I believe I had to restart the conserver process on my conserver host (in this example, foo). Once I did that the prompt disappeared. Hopefully this helps you.

Lisa Doherty

Ken Schumacher wrote:
I have been struggling for several days trying to get a new instance of conserver to talk to a relatively new Opengear CM4148 terminal server. I have an older CM4148 (OpenGear/CM41xx Firmware Version 2.1.0u1) which is working just fine with this conserver host. But the newer unit (FW version 2.3.1u3) requires a login, presumably to authenticate to the Opengear device, before I can open the port to log console output and before I can login at the prompt on the serial console port.

I have read through the Opengear manual and do not see a way to set it up to allow access without some form of authentication. I did find a thread in this conserver users mailing list archive. It was dated 25 Sep 2007 under the title "console connection prompts for root password" That question was submitted by Lisa Doherty with an answer from David Harris. I believe that thread was talking about authenticating to the conserver software and not to the Opengear device.

Like Lisa was at that time, I am new to this list. I have been using older versions of conserver for over 10 years. This is the first instance of conserver version 8 that I am setting up. And I set up that older Opengear device over 18 months ago. I have spent way too long trying to get over this problem on my own. I have an e-mail into support@opengear.com. I would appreciate any help that list members could offer.

Ken Schumacher


users mailing list
users mailing list

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature