From prvs=Nikkolai.Jones=4616a5332@rbs.com Wed Aug 5 11:58:35 2009 Received: from remacdmzma03ldap.rbs.com (mailhost5.rbs.co.uk [155.136.80.33]) by underdog.stansell.org (8.14.3/8.14.3) with ESMTP id n75BwSHp000149 for ; Wed, 5 Aug 2009 11:58:34 GMT X-GBM: True X-IronPort-AV: E=Sophos;i="4.43,328,1246834800"; d="scan'208,217";a="189660281" Received: from unknown (HELO lonix03001.fm.rbsgrp.net) ([11.160.46.101]) by remacdmzma03.rbs.com with ESMTP; 05 Aug 2009 12:58:26 +0100 X-IronPort-AV: E=Sophos;i="4.43,328,1246834800"; d="scan'208,217";a="157201675" X-RBS-Disclaimer: True Received: from lonms04069.rbsres07.net ([11.162.33.232]) by lonix03001.fm.rbsgrp.net with ESMTP; 05 Aug 2009 12:58:26 +0100 Received: from LONMC01028.rbsres07.net ([11.160.32.123]) by LONMS04069.rbsres07.net ([11.162.33.232]) with mapi; Wed, 5 Aug 2009 12:58:25 +0100 From: To: Date: Wed, 5 Aug 2009 12:58:26 +0100 Subject: Cannot exit ssh conserver connection to cisco terminal server. Thread-Topic: Cannot exit ssh conserver connection to cisco terminal server. Thread-Index: AcoVxAoxfaHvLVnlSNqti3NaBozcwQ== Message-ID: Accept-Language: en-US, en-GB Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US, en-GB Content-Type: multipart/alternative; boundary="_000_AF9CFC44B972A74EA058F160C9EF9E83052D57813DLONMC01028rbs_" MIME-Version: 1.0 X-Spam-Score: 0.391 () BAYES_05,HTML_MESSAGE,MIME_QP_LONG_LINE X-Scanned-By: MIMEDefang 2.67 on 209.182.219.30 X-BeenThere: users@conserver.com X-Mailman-Version: 2.1.12 Precedence: list List-Id: Conserver Users List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Aug 2009 11:58:35 -0000 --_000_AF9CFC44B972A74EA058F160C9EF9E83052D57813DLONMC01028rbs_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hello, I am testing a ssh conserver connection to a cisco terminal server attached= to the serial ILOM of a Sun M4000 sparc server running solaris 10. I have = the following configuration in my conserver.cf: default cisco { type exec; execsubst H=3Dcs; exec ssh H; } console server1234 { include cisco; host ciscotest1; } Now connection to the serial console through conserver works fine and I hav= e a shell, but the problem arises when I want to exit the user in the ssh s= hell. When I type "exit" to exit the user ( who I have previously su up to = ), it disconnects the ssh session and then reconnects. So it appears that the ssh connection is trapping my exit rather than the s= hell I'm logged into. Do I need to spawn my ssh connection in a different w= ay ? Any help would be much appreciated. Regards, Nikkolai Jones Unix Systems Administrator RBS Global Banking & Markets Bankside 3, 90-100 Southwark Street, London SE1 0SW, United Kingdom Office: +44 20 3361 3638 ***************************************************************************= ******** The Royal Bank of Scotland plc. Registered in Scotland No 90312. Registered= Office: 36 St Andrew Square, Edinburgh EH2 2YB.=20 Authorised and regulated by the Financial Services Authority.=20 =20 This e-mail message is confidential and for use by the=20 addressee only. If the message is received by anyone other=20 than the addressee, please return the message to the sender=20 by replying to it and then delete the message from your=20 computer. Internet e-mails are not necessarily secure. The=20 Royal Bank of Scotland plc does not accept responsibility for=20 changes made to this message after it was sent.=20 Whilst all reasonable care has been taken to avoid the=20 transmission of viruses, it is the responsibility of the recipient to=20 ensure that the onward transmission, opening or use of this=20 message and any attachments will not adversely affect its=20 systems or data. No responsibility is accepted by The=20 Royal Bank of Scotland plc in this regard and the recipient should carry=20 out such virus and other checks as it considers appropriate.=20 Visit our website at www.rbs.com ***************************************************************************= ******** --_000_AF9CFC44B972A74EA058F160C9EF9E83052D57813DLONMC01028rbs_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable
Hello,
 
I am test= ing a ssh=20 conserver connection to a cisco terminal server attached to the serial= ILOM=20 of a Sun M4000 sparc server running solaris 10. I have the following=20 configuration in my conserver.cf:
 
default c= isco { type=20 exec; execsubst H=3Dcs; exec ssh H; }
console server1234 { include cisco= ; host=20 ciscotest1; }
 
Now conne= ction to=20 the serial console through conserver works fine and I have a shell, bu= t the=20 problem arises when I want to exit the user in the ssh shell. When I type "= exit"=20 to exit the user ( who I have previously su up to ), it disconnects the ssh=20 session and then reconnects.  
 
So it app= ears that=20 the ssh connection is trapping my exit rather than the shell I'm logged int= o. Do=20 I need to spawn my ssh connection in a different way ?
 
Any help = would be=20 much appreciated.
 
Regards,
 
Nikkolai Jones
Unix Systems Administrator
RBS Global Banking &=20 Markets
Bankside 3, 90-100 Southwark Street, London SE1 0SW, United=20 Kingdom
Office: +44 20 3361 3638

 
***************************************************************************=
********
The Royal Bank of Scotland plc. Registered in Scotland No 90312. Registered=
 Office: 36 St Andrew Square, Edinburgh EH2 2YB.=20
Authorised and regulated by the Financial Services Authority.=20
=20
This e-mail message is confidential and for use by the=20
addressee only. If the message is received by anyone other=20
than the addressee, please return the message to the sender=20
by replying to it and then delete the message from your=20
computer. Internet e-mails are not necessarily secure. The=20
Royal Bank of Scotland plc does not accept responsibility for=20
changes made to this message after it was sent.=20

Whilst all reasonable care has been taken to avoid the=20
transmission of viruses, it is the responsibility of the recipient to=20
ensure that the onward transmission, opening or use of this=20
message and any attachments will not adversely affect its=20
systems or data. No responsibility is accepted by The=20
Royal Bank of Scotland plc in this regard and the recipient should carry=20
out such virus and other checks as it considers appropriate.=20

Visit our website at www.rbs.com

***************************************************************************=
********
--_000_AF9CFC44B972A74EA058F160C9EF9E83052D57813DLONMC01028rbs_-- From andras.horvath@cern.ch Wed Aug 19 14:23:10 2009 Received: from cernmx20.cern.ch (cernmx20.cern.ch [137.138.166.184]) by underdog.stansell.org (8.14.3/8.14.3) with ESMTP id n7JEN3gK023144 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=FAIL) for ; Wed, 19 Aug 2009 14:23:10 GMT Received: from pcitadc01.cern.ch (137.138.33.142) by cernmxlb.cern.ch (137.138.166.163) with Microsoft SMTP Server id 8.1.375.2; Wed, 19 Aug 2009 16:23:01 +0200 Received: by pcitadc01.cern.ch (Postfix, from userid 1000) id C05F414DC240; Wed, 19 Aug 2009 16:23:01 +0200 (CEST) Date: Wed, 19 Aug 2009 16:23:01 +0200 From: To: Subject: packet filtering vs. conserver Message-ID: <20090819142301.GM4979@cern.ch> Mail-Followup-To: users@conserver.com MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-2" Content-Disposition: inline User-Agent: Mutt/1.5.18 (2008-05-17) X-Spam-Score: -2.312 () BAYES_00 X-Scanned-By: MIMEDefang 2.67 on 209.182.219.30 X-BeenThere: users@conserver.com X-Mailman-Version: 2.1.12 Precedence: list List-Id: Conserver Users List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Aug 2009 14:23:10 -0000 Hi, Is there a way to make conserver listen on a limited number of ports only (instead of opening random ports)? The manual page talks about the 'secondaryport' option but this seems to do nothing at all, and I'm not at all sure that it's the option I need anyway. The reason I'm asking is that I have to devise a set of iptables (packet filter) rules to let users in, as a policy. thanks Andras From consoleteam@gmail.com Wed Aug 19 15:53:44 2009 Received: from mail-yw0-f187.google.com (mail-yw0-f187.google.com [209.85.211.187]) by underdog.stansell.org (8.14.3/8.14.3) with ESMTP id n7JFrcKE024924 for ; Wed, 19 Aug 2009 15:53:44 GMT Received: by ywh17 with SMTP id 17so6087518ywh.3 for ; Wed, 19 Aug 2009 08:53:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type; bh=tU//+6vbVbo6MQcriWG14UDl/d2tO1dlQFpv3FTevUU=; b=BvuA4Pnj6yx4iRLwZ9/24OqORvh4Sy0m/APh+9Ud8jbhbldnoGoSVR47EZnwhCXIXs 9m2Aku3WB5D39hoBDe25pBuNUXZq/xFzoDbXumY2Rhk4j+hQnNkbuvVo8EORbCqMkySw kObPjmKFLctQ8WhfVhW3oyjMKdw5QxlAb2dYQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=KgPumV/2mOS6aPfC87d3Z7IRgo5F73d6F7b0LKshJF1tdthN60lMM+JBvDHx0+ygwi dW3xALPmDtC5fHcfF6afuxKOzmDTf/CeeJDvywbR8Yg7NPJaMdbv9NBOodQmrgdE3+9D RtDSpN3AsaHXAG2ND9g2STt4XUkX/xB8w7YM4= MIME-Version: 1.0 Received: by 10.150.103.1 with SMTP id a1mr10654943ybc.198.1250697215372; Wed, 19 Aug 2009 08:53:35 -0700 (PDT) In-Reply-To: <20090819142301.GM4979@cern.ch> References: <20090819142301.GM4979@cern.ch> Date: Wed, 19 Aug 2009 08:53:35 -0700 Message-ID: Subject: Re: packet filtering vs. conserver From: Zonker To: users@conserver.com Content-Type: multipart/alternative; boundary=0015174a094e3e6e7c047180a3c5 X-Spam-Score: -2.311 () BAYES_00,HTML_MESSAGE X-Scanned-By: MIMEDefang 2.67 on 209.182.219.30 X-BeenThere: users@conserver.com X-Mailman-Version: 2.1.12 Precedence: list List-Id: Conserver Users List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Aug 2009 15:53:44 -0000 --0015174a094e3e6e7c047180a3c5 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Normally, a "stateful" packet filter will allow the "return ports" for all sessions opened from "inside" the firewall... In that case, Conserver initiates the TCP session, suggesting the port it is listening on, and the firewall should allow that returning communications. Is this not possible for your firewall? -Z- On Wed, Aug 19, 2009 at 7:23 AM, wrote: > Hi, > > Is there a way to make conserver listen on a limited number of ports > only (instead of opening random ports)? > > The manual page talks about the 'secondaryport' option but this seems to > do nothing at all, and I'm not at all sure that it's the option I need > anyway. > > The reason I'm asking is that I have to devise a set of iptables (packet > filter) rules to let users in, as a policy. > > thanks > > Andras > _______________________________________________ > users mailing list > users@conserver.com > https://www.conserver.com/mailman/listinfo/users > -- ConsoleTeam - Support and training services for Conserver users. www.conserver.com/consoles/ consoleteam.blogspot.com --0015174a094e3e6e7c047180a3c5 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable =A0 Normally, a "stateful" packet filter will allow the "ret= urn ports" for all sessions opened from "inside" the firewal= l... In that case, Conserver initiates the TCP session, suggesting the port= it is listening on, and the firewall should allow that returning communica= tions.=A0

=A0 Is this not possible for your firewall?

=A0=A0=A0=A0=A0=A0= =A0=A0 -Z-

On Wed, Aug 19, 2009 at 7:23 A= M, <Andras.= Horvath@cern.ch> wrote:
Hi,

Is there a way to make conserver listen on a limited number of ports
only (instead of opening random ports)?

The manual page talks about the 'secondaryport' option but this see= ms to
do nothing at all, and I'm not at all sure that it's the option I n= eed
anyway.

The reason I'm asking is that I have to devise a set of iptables (packe= t
filter) rules to let users in, as a policy.

thanks

Andras
_______________________________________________
users mailing list
users@conserver.com
https://www.conserver.com/mailman/listinfo/users



--
ConsoleTeam - Support a= nd training services for Conserver users.
www.conserver.com/consoles/
consoleteam.blogspot.com
--0015174a094e3e6e7c047180a3c5-- From bryan@stansell.org Thu Aug 20 04:22:00 2009 Received: from underdog.stansell.org (localhost [127.0.0.1]) by underdog.stansell.org (8.14.3/8.14.3) with ESMTP id n7K4M0U0014982 for ; Thu, 20 Aug 2009 04:22:00 GMT Received: (from bryan@localhost) by underdog.stansell.org (8.14.3/8.14.3/Submit) id n7K4M0BI014981 for users@conserver.com; Wed, 19 Aug 2009 21:22:00 -0700 (PDT) Date: Wed, 19 Aug 2009 21:22:00 -0700 From: Bryan Stansell To: users@conserver.com Subject: Re: packet filtering vs. conserver Message-ID: <20090820042200.GD27559@underdog.stansell.org> References: <20090819142301.GM4979@cern.ch> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20090819142301.GM4979@cern.ch> User-Agent: Mutt/1.4.2.3i X-Scanned-By: MIMEDefang 2.67 on 209.182.219.30 X-BeenThere: users@conserver.com X-Mailman-Version: 2.1.12 Precedence: list List-Id: Conserver Users List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Aug 2009 04:22:00 -0000 secondaryport is what you want. Something like: config * { secondaryport 9900; } tells conserver to start allocating from port 9900 for it's secondary ports. 'conserver -V' will show you both the primary port and secondary port range. If you do something like: config * { primaryport 782; secondaryport 783; } It would make the main port 782, and then start allocating from 783 for the rest...up to the number of conserver processes forked off. Or you could do: config * { primaryport conserver; secondaryport conserver-child; } and put whatever values into /etc/services for those names. The configure option --with-port sets primaryport and --with-base sets secondaryport, to have them compiled in instead. Bryan On Wed, Aug 19, 2009 at 04:23:01PM +0200, Andras.Horvath@cern.ch wrote: > Hi, > > Is there a way to make conserver listen on a limited number of ports > only (instead of opening random ports)? > > The manual page talks about the 'secondaryport' option but this seems to > do nothing at all, and I'm not at all sure that it's the option I need > anyway. > > The reason I'm asking is that I have to devise a set of iptables (packet > filter) rules to let users in, as a policy. > > thanks > > Andras > _______________________________________________ > users mailing list > users@conserver.com > https://www.conserver.com/mailman/listinfo/users From andras.horvath@cern.ch Thu Aug 20 11:05:22 2009 Received: from cernmx20.cern.ch (cernmx20.cern.ch [137.138.166.184]) by underdog.stansell.org (8.14.3/8.14.3) with ESMTP id n7KB5Faf018958 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=FAIL) for ; Thu, 20 Aug 2009 11:05:22 GMT Received: from pcitadc01.cern.ch (137.138.33.142) by cernmxlb.cern.ch (137.138.166.163) with Microsoft SMTP Server id 8.1.375.2; Thu, 20 Aug 2009 13:05:14 +0200 Received: by pcitadc01.cern.ch (Postfix, from userid 1000) id 83EC414DC214; Thu, 20 Aug 2009 13:05:14 +0200 (CEST) Date: Thu, 20 Aug 2009 13:05:14 +0200 From: To: Subject: Re: packet filtering vs. conserver Message-ID: <20090820110514.GU4979@cern.ch> Mail-Followup-To: users@conserver.com References: <20090819142301.GM4979@cern.ch> <20090820042200.GD27559@underdog.stansell.org> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-2" Content-Disposition: inline In-Reply-To: <20090820042200.GD27559@underdog.stansell.org> User-Agent: Mutt/1.5.18 (2008-05-17) X-Spam-Score: -2.312 () BAYES_00 X-Scanned-By: MIMEDefang 2.67 on 209.182.219.30 X-BeenThere: users@conserver.com X-Mailman-Version: 2.1.12 Precedence: list List-Id: Conserver Users List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Aug 2009 11:05:22 -0000 On Thu, Aug 20, 2009 at 06:22:00AM +0200, Bryan Stansell wrote: > It would make the main port 782, and then start allocating from 783 for > the rest...up to the number of conserver processes forked off. Thanks, it seems to work. I've also found the '-m' switch, and the combination of the two makes for predictable port usage. Zonker: as I understand it, the client first contacts the server (master) to determine which host/port to connect to for a given console, then connects to said host/port (which may be the same host as the master). These two connections are in no relation on the TCP/IP level, and the second one's port is sort of random by default. cheers, Andras From consoleteam@gmail.com Thu Aug 20 15:34:23 2009 Received: from mail-yw0-f187.google.com (mail-yw0-f187.google.com [209.85.211.187]) by underdog.stansell.org (8.14.3/8.14.3) with ESMTP id n7KFYHHj026531 for ; Thu, 20 Aug 2009 15:34:23 GMT Received: by ywh17 with SMTP id 17so6986826ywh.3 for ; Thu, 20 Aug 2009 08:34:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type; bh=5z5WDqQNcWhGB4Vojb//RpPEOkBYyVc41M/DQxv7frc=; b=II2Ir/FM7hNZiN0syMyVLdU9NahmqFZBBeFvlTQA1Q2zDTN8SUaAQUyJo1f29yrH6V 28GlmzHX90qC/vba86rh7zE/MW+fbSwcULIc1Lt3EIxiwzxsvqXYuQSnt/ku+cPTSqDd Kavk49XPrnPQfrb/tKXRh0RYBOPvdi4d5EtB8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=nHmdyy3Jwxrg0qALz+8Ml4xAG3mNFOo3BW21PR4K7nG3qZ4Nhj8ePioXg+yodLjjvV LzzMlGHzfER0AjvRxlULcZikYMPbtaEcnV6xF42yhTmwE96iSl5UVJSTEXB0pL++W/kj d68MWGAqN2niuaeNU4h0Z31PUzLXt0W2GritY= MIME-Version: 1.0 Received: by 10.151.92.6 with SMTP id u6mr10182ybl.237.1250782456567; Thu, 20 Aug 2009 08:34:16 -0700 (PDT) In-Reply-To: <20090820110514.GU4979@cern.ch> References: <20090819142301.GM4979@cern.ch> <20090820042200.GD27559@underdog.stansell.org> <20090820110514.GU4979@cern.ch> Date: Thu, 20 Aug 2009 08:34:16 -0700 Message-ID: Subject: Re: packet filtering vs. conserver From: Zonker To: users@conserver.com Content-Type: multipart/alternative; boundary=000e0cd29e8a03d96a0471947c8b X-Spam-Score: -2.311 () BAYES_00,HTML_MESSAGE X-Scanned-By: MIMEDefang 2.67 on 209.182.219.30 X-BeenThere: users@conserver.com X-Mailman-Version: 2.1.12 Precedence: list List-Id: Conserver Users List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Aug 2009 15:34:23 -0000 --000e0cd29e8a03d96a0471947c8b Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Got it. I had tunnle vision, and was only thinking of Conserver starting up and connecting to console servers on other networks... -Z- On Thu, Aug 20, 2009 at 4:05 AM, wrote: > On Thu, Aug 20, 2009 at 06:22:00AM +0200, Bryan Stansell wrote: > > > It would make the main port 782, and then start allocating from 783 for > > the rest...up to the number of conserver processes forked off. > > Thanks, it seems to work. I've also found the '-m' switch, and the > combination of the two makes for predictable port usage. > > Zonker: as I understand it, the client first contacts the server > (master) to determine which host/port to connect to for a given console, > then connects to said host/port (which may be the same host as the > master). These two connections are in no relation on the TCP/IP level, > and the second one's port is sort of random by default. > > cheers, > > Andras > _______________________________________________ > users mailing list > users@conserver.com > https://www.conserver.com/mailman/listinfo/users > -- ConsoleTeam - Support and training services for Conserver users. www.conserver.com/consoles/ consoleteam.blogspot.com --000e0cd29e8a03d96a0471947c8b Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable =A0 Got it.=A0 I had tunnle vision, and was only thinking of Conserver star= ting up and connecting to console servers on other networks...

=A0= =A0=A0=A0=A0 -Z-

On Thu, Aug 20, 2009 at = 4:05 AM, <A= ndras.Horvath@cern.ch> wrote:
On Thu, Aug 20, 2009 at 06:22:00AM +0200, Bryan Stansell wrote:

> It would make the main port 782, and then start allocating from 783 fo= r
> the rest...up to the number of conserver processes forked off.

Thanks, it seems to work. I've also found the '-m' switch= , and the
combination of the two makes for predictable port usage.

Zonker: as I understand it, the client first contacts the server
(master) to determine which host/port to connect to for a given console, then connects to said host/port (which may be the same host as the
master). =A0These two connections are in no relation on the TCP/IP level, and the second one's port is sort of random by default.

cheers,

Andras
_______________________________________________
users mailing list
users@conserver.com
https://www.conserver.com/mailman/listinfo/users



--
ConsoleTeam= - Support and training services for Conserver users.
www.conserver.com/consoles/
consoleteam.blogspot.com
--000e0cd29e8a03d96a0471947c8b--