From pabutusa@gmail.com Wed Sep 2 17:30:40 2009 Received: from mail-yx0-f172.google.com (mail-yx0-f172.google.com [209.85.210.172]) by underdog.stansell.org (8.14.3/8.14.3) with ESMTP id n82HUXrN013579 for ; Wed, 2 Sep 2009 17:30:39 GMT Received: by yxe2 with SMTP id 2so81896yxe.3 for ; Wed, 02 Sep 2009 10:30:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:date :x-google-sender-auth:message-id:subject:from:to:content-type; bh=1zpCTbbidD0dGfOhQfApzWkEmCvwkVjxwRaT+QADRlA=; b=f8S/mpBFBMIMy/0KAW9H+7L2fLnzNo1ZzQFDlN3/1TlPpS7iRFpskHFI45JMWNYLzc CuL/tYuPvP8sMdNWPZFqRPRdFY1y0wWPqUNslQdUK8aCzpv0o2rnp08+FfqvGFasGDx+ j30yScTdaNxYOoX9LXfrIi6txO7Is353qTKUQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:date:x-google-sender-auth:message-id:subject :from:to:content-type; b=O2LjINAAJTo8EHGV8Klds6SfTZs4p7zL57h0aeUOhaUm4Dy41NX+X5tzBWY+qsK+1H ZHEYNxOHB8i9HzTGE6+xGqy3R5OfWnId3FCmLnRsBcuZMS3L6K5buqJvZxBicD3L13EN ExBZo4B1ryY+PsTfOLIli/Il53WsKbPQDQeCk= MIME-Version: 1.0 Sender: pabutusa@gmail.com Received: by 10.150.239.15 with SMTP id m15mr11548544ybh.336.1251912629767; Wed, 02 Sep 2009 10:30:29 -0700 (PDT) Date: Wed, 2 Sep 2009 17:30:29 +0000 X-Google-Sender-Auth: 1c0351ad2edd1ca1 Message-ID: Subject: Reconnect after network outage?? From: Rob To: users@conserver.com Content-Type: multipart/alternative; boundary=000e0cd2c264966f2004729b9f87 X-Spam-Score: -2.311 () BAYES_00,HTML_MESSAGE X-Scanned-By: MIMEDefang 2.67 on 209.182.219.30 X-BeenThere: users@conserver.com X-Mailman-Version: 2.1.12 Precedence: list List-Id: Conserver Users List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Sep 2009 17:30:40 -0000 --000e0cd2c264966f2004729b9f87 Content-Type: text/plain; charset=ISO-8859-1 I had an event where the network conserver and my terminal servers are on was down for a period of time. During the outage conserver could not connect to the terminal servers and forced down those connections. The console connections stayed down until someone noticed a few days later even though the network outrage was repaired long before. So my question, how do I prevent this going forward? I would like to reinitialize the consoles after the network ... or any other outage .. is repaired. Looking at the conserver.cf man page I'm seeing "initspinmax" and "initspintimer" .... am I on the right track?? Or is there some other setting I need to look at?? Thanks, --> Rob --000e0cd2c264966f2004729b9f87 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable I had an event where the network conserver and my terminal servers are on w= as down for a period of time. During the outage conserver could not connect= to the terminal servers and forced down those connections. The console con= nections stayed down until someone noticed a few days later even though the= network outrage was repaired long before.

So my question, how do I prevent this going forward? I would like to re= initialize the consoles after the network ... or any other outage .. is rep= aired.

Looking at the conserver.cf man page I'm seeing "initspinmax" and "initspintimer&= quot; .... am I on the right track?? Or is there some other setting I need = to look at??

Thanks,

--> Rob

--000e0cd2c264966f2004729b9f87-- From benbatten@gmail.com Wed Sep 16 12:19:09 2009 Received: from mail-ew0-f209.google.com (mail-ew0-f209.google.com [209.85.219.209]) by underdog.stansell.org (8.14.3/8.14.3) with ESMTP id n8GCItKV021277 for ; Wed, 16 Sep 2009 12:19:06 GMT Received: by ewy5 with SMTP id 5so2288529ewy.34 for ; Wed, 16 Sep 2009 05:18:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type; bh=z475/KviD0KTuI+dbJzPbP4sQh1Ue6pNlOhXxz2l/d8=; b=AMNxm/ypPw+v02Kq+KkMj3wUw3k7h3amAd/Dh8OWriyYrvBsRMMg6BC9YWxexydLqi YLyF90lnsg3XAO3/wS2abZFjOtYbso2+dtjguW26PYI3GrDgFDyzyS9as2WfkdIhLptK Fcpnzk/uYI6GVigmOxhmLr8Jo+8z3cr3HjM5E= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=x193JKZL8xgOxBAmzx1Cu1kg7OrKIBDqJaaPX2x7yaVBDB9Q68sLVchyh8Tlzqtf8W jz7JqvaPFEvybMt/RIG865sjJ4Pi3S0YYxecKe8P/HrskppRWBI0lmMWuYD42RCuysH8 XCVS4rDnmcG3+inIO0qSVuNcu2Zb6yS5NvE8I= MIME-Version: 1.0 Received: by 10.216.21.2 with SMTP id q2mr1628879weq.78.1253103534807; Wed, 16 Sep 2009 05:18:54 -0700 (PDT) Date: Wed, 16 Sep 2009 08:18:54 -0400 Message-ID: <802f42640909160518q690074bag4393050dd6abf9ce@mail.gmail.com> Subject: Console Variables From: Ben Batten To: users@conserver.com Content-Type: text/plain; charset=ISO-8859-1 X-Spam-Score: -2.312 () BAYES_00 X-Scanned-By: MIMEDefang 2.67 on 209.182.219.30 X-BeenThere: users@conserver.com X-Mailman-Version: 2.1.12 Precedence: list List-Id: Conserver Users List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Sep 2009 12:19:09 -0000 Is it possible to use variable substitutions/interpolations in conserver.cf? I'm looking to shorten the numerous console definitions I have by utilizing a default but interpolate a host name from the command line in the default block. So in my conserver.cf file I have: default somedefault { somestuff; ssh $consolehost; } console consolehostA { include somedefault } console consolehostB { include somedefault } ... console consolehostZ { include somedefault } Then on the command line I type: console consolehostA ... and I get hostA or hostP or whichever host console I type. Make sense? TIA! Ben-- From wernli@in2p3.fr Wed Sep 16 12:50:22 2009 Received: from ccsrelay01.in2p3.fr (ccsrelay01.in2p3.fr [134.158.66.51]) by underdog.stansell.org (8.14.3/8.14.3) with ESMTP id n8GCoFTq021705 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Wed, 16 Sep 2009 12:50:21 GMT Received: from ccswiss.in2p3.fr (ccswissrp.in2p3.fr [134.158.71.221]) (authenticated bits=0) by ccsrelay01.in2p3.fr (8.14.2/8.14.2/IN2P3) with ESMTP id n8GCoD2b016462 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Wed, 16 Sep 2009 14:50:13 +0200 Received: by ccswiss.in2p3.fr (Postfix, from userid 3942) id B59CFC0F9; Wed, 16 Sep 2009 14:50:13 +0200 (CEST) Date: Wed, 16 Sep 2009 14:50:13 +0200 From: Fabien Wernli To: users@conserver.com Subject: Re: Console Variables Message-ID: <20090916125013.GD24200@ccswiss.in2p3.fr> Mail-Followup-To: users@conserver.com References: <802f42640909160518q690074bag4393050dd6abf9ce@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <802f42640909160518q690074bag4393050dd6abf9ce@mail.gmail.com> Organization: CC-IN2P3 (CNRS) User-Agent: Mutt/1.5.20 (2009-06-14) X-Spam-Score: -2.312 () BAYES_00 X-Scanned-By: MIMEDefang 2.67 on 209.182.219.30 X-BeenThere: users@conserver.com X-Mailman-Version: 2.1.12 Precedence: list Reply-To: wernli@in2p3.fr List-Id: Conserver Users List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Sep 2009 12:50:22 -0000 On Wed, Sep 16, 2009 at 08:18:54AM -0400, Ben Batten wrote: > Is it possible to use variable substitutions/interpolations in > conserver.cf? I'm looking to shorten the numerous console definitions > I have by utilizing a default but interpolate a host name from the > command line in the default block. So in my conserver.cf file I have: look for execsubst in the manpage From andras.horvath@cern.ch Wed Sep 16 15:33:21 2009 Received: from cernmx21.cern.ch (cernmx21.cern.ch [137.138.166.182]) by underdog.stansell.org (8.14.3/8.14.3) with ESMTP id n8GFXErF026156 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=FAIL) for ; Wed, 16 Sep 2009 15:33:21 GMT Received: from pcitadc01.cern.ch (137.138.33.142) by cernmxlb.cern.ch (137.138.166.163) with Microsoft SMTP Server id 8.1.375.2; Wed, 16 Sep 2009 17:33:12 +0200 Received: by pcitadc01.cern.ch (Postfix, from userid 1000) id A949B14DC16F; Wed, 16 Sep 2009 17:33:12 +0200 (CEST) Date: Wed, 16 Sep 2009 17:33:12 +0200 From: To: Subject: Kerberos authentication? Message-ID: <20090916153312.GI9850@cern.ch> Mail-Followup-To: users@conserver.com MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-2" Content-Disposition: inline User-Agent: Mutt/1.5.18 (2008-05-17) X-Spam-Score: -2.312 () BAYES_00 X-Scanned-By: MIMEDefang 2.67 on 209.182.219.30 X-BeenThere: users@conserver.com X-Mailman-Version: 2.1.12 Precedence: list List-Id: Conserver Users List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Sep 2009 15:33:21 -0000 Hi, I'm wondering if anyone has a patch to use Kerberos5 tokens for authentication between the client and the server? I can use the appropriate passwords (via PAM) but it would be much easier for my users to directly use the tokens they have already. Andras From nstraz@redhat.com Wed Sep 16 17:20:57 2009 Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by underdog.stansell.org (8.14.3/8.14.3) with ESMTP id n8GHKpto028953 for ; Wed, 16 Sep 2009 17:20:56 GMT Received: from int-mx05.intmail.prod.int.phx2.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.18]) by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id n8GHKoEt012841 for ; Wed, 16 Sep 2009 13:20:50 -0400 Received: from tin.rawstew (ovpn01.gateway.prod.ext.phx2.redhat.com [10.5.9.1]) by int-mx05.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id n8GHKmA7008058 for ; Wed, 16 Sep 2009 13:20:49 -0400 Received: by tin.rawstew (Postfix, from userid 10119) id B3DEA4F8A3; Wed, 16 Sep 2009 13:21:39 -0400 (EDT) Date: Wed, 16 Sep 2009 13:21:39 -0400 To: users@conserver.com Subject: Re: Kerberos authentication? Message-ID: <20090916172139.GM5654@redhat.com> References: <20090916153312.GI9850@cern.ch> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="69pVuxX8awAiJ7fD" Content-Disposition: inline In-Reply-To: <20090916153312.GI9850@cern.ch> User-Agent: Mutt/1.5.19 (2009-01-05) From: nstraz@redhat.com X-Scanned-By: MIMEDefang 2.67 on 209.182.219.30 X-Scanned-By: MIMEDefang 2.67 on 10.5.11.18 X-Spam-Score: -2.312 () BAYES_00 X-BeenThere: users@conserver.com X-Mailman-Version: 2.1.12 Precedence: list List-Id: Conserver Users List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Sep 2009 17:20:57 -0000 --69pVuxX8awAiJ7fD Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Sep 16 17:33, Andras.Horvath@cern.ch wrote: > I'm wondering if anyone has a patch to use Kerberos5 tokens for > authentication between the client and the server? > > I can use the appropriate passwords (via PAM) but it would be much > easier for my users to directly use the tokens they have already. Here is my most recent patch with works with libgssapi and libgssglue. I would love to get this patch upstream. Nate --69pVuxX8awAiJ7fD Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="conserver-8.1.16-gssglue.patch" diff --git a/config.h.in b/config.h.in index 1c3095c..a698b6b 100644 --- a/config.h.in +++ b/config.h.in @@ -75,6 +75,9 @@ /* Define to 1 if you have the `grantpt' function. */ #undef HAVE_GRANTPT +/* have gss-api support */ +#undef HAVE_GSSAPI + /* Define to 1 if you have the header file. */ #undef HAVE_HPSECURITY_H diff --git a/configure b/configure index 8f58bda..75f6369 100755 --- a/configure +++ b/configure @@ -868,6 +868,8 @@ Optional Packages: Compile in libwrap (tcp_wrappers) support --with-openssl[=PATH] Compile in OpenSSL support + --with-gssapi[=PATH] + Compile in GSS-API support --with-dmalloc[=PATH] Compile in dmalloc support --with-pam Enable PAM support @@ -6092,6 +6094,300 @@ fi fi; +cons_with_gssapi="NO" + +# Check whether --with-gssapi or --without-gssapi was given. +if test "${with_gssapi+set}" = set; then + withval="$with_gssapi" + if test "$withval" != "no"; then + if test "$withval" != "yes"; then + GSSAPICPPFLAGS="-I$withval/include" + if test "$use_dash_r" != "yes"; then + GSSAPILDFLAGS="-L$withval/lib" + else + GSSAPILDFLAGS="-L$withval/lib -R$withval/lib" + fi + else + GSSAPICPPFLAGS="" + GSSAPILDFLAGS="" + fi + + oCPPFLAGS="$CPPFLAGS" + oLDFLAGS="$LDFLAGS" + oLIBS="$LIBS" + have_gssapi=no + + CPPFLAGS="$CPPFLAGS $GSSAPICPPFLAGS" + LDFLAGS="$LDFLAGS $GSSAPILDFLAGS" + + if test "${ac_cv_header_gssapi_gssapi_h+set}" = set; then + echo "$as_me:$LINENO: checking for gssapi/gssapi.h" >&5 +echo $ECHO_N "checking for gssapi/gssapi.h... $ECHO_C" >&6 +if test "${ac_cv_header_gssapi_gssapi_h+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +fi +echo "$as_me:$LINENO: result: $ac_cv_header_gssapi_gssapi_h" >&5 +echo "${ECHO_T}$ac_cv_header_gssapi_gssapi_h" >&6 +else + # Is the header compilable? +echo "$as_me:$LINENO: checking gssapi/gssapi.h usability" >&5 +echo $ECHO_N "checking gssapi/gssapi.h usability... $ECHO_C" >&6 +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +#include +_ACEOF +rm -f conftest.$ac_objext +if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 + (eval $ac_compile) 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -z "$ac_c_werror_flag" + || test ! -s conftest.err' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; } && + { ac_try='test -s conftest.$ac_objext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + ac_header_compiler=yes +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +ac_header_compiler=no +fi +rm -f conftest.err conftest.$ac_objext conftest.$ac_ext +echo "$as_me:$LINENO: result: $ac_header_compiler" >&5 +echo "${ECHO_T}$ac_header_compiler" >&6 + +# Is the header present? +echo "$as_me:$LINENO: checking gssapi/gssapi.h presence" >&5 +echo $ECHO_N "checking gssapi/gssapi.h presence... $ECHO_C" >&6 +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +#include +_ACEOF +if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5 + (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } >/dev/null; then + if test -s conftest.err; then + ac_cpp_err=$ac_c_preproc_warn_flag + ac_cpp_err=$ac_cpp_err$ac_c_werror_flag + else + ac_cpp_err= + fi +else + ac_cpp_err=yes +fi +if test -z "$ac_cpp_err"; then + ac_header_preproc=yes +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_header_preproc=no +fi +rm -f conftest.err conftest.$ac_ext +echo "$as_me:$LINENO: result: $ac_header_preproc" >&5 +echo "${ECHO_T}$ac_header_preproc" >&6 + +# So? What about this header? +case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in + yes:no: ) + { echo "$as_me:$LINENO: WARNING: gssapi/gssapi.h: accepted by the compiler, rejected by the preprocessor!" >&5 +echo "$as_me: WARNING: gssapi/gssapi.h: accepted by the compiler, rejected by the preprocessor!" >&2;} + { echo "$as_me:$LINENO: WARNING: gssapi/gssapi.h: proceeding with the compiler's result" >&5 +echo "$as_me: WARNING: gssapi/gssapi.h: proceeding with the compiler's result" >&2;} + ac_header_preproc=yes + ;; + no:yes:* ) + { echo "$as_me:$LINENO: WARNING: gssapi/gssapi.h: present but cannot be compiled" >&5 +echo "$as_me: WARNING: gssapi/gssapi.h: present but cannot be compiled" >&2;} + { echo "$as_me:$LINENO: WARNING: gssapi/gssapi.h: check for missing prerequisite headers?" >&5 +echo "$as_me: WARNING: gssapi/gssapi.h: check for missing prerequisite headers?" >&2;} + { echo "$as_me:$LINENO: WARNING: gssapi/gssapi.h: see the Autoconf documentation" >&5 +echo "$as_me: WARNING: gssapi/gssapi.h: see the Autoconf documentation" >&2;} + { echo "$as_me:$LINENO: WARNING: gssapi/gssapi.h: section \"Present But Cannot Be Compiled\"" >&5 +echo "$as_me: WARNING: gssapi/gssapi.h: section \"Present But Cannot Be Compiled\"" >&2;} + { echo "$as_me:$LINENO: WARNING: gssapi/gssapi.h: proceeding with the preprocessor's result" >&5 +echo "$as_me: WARNING: gssapi/gssapi.h: proceeding with the preprocessor's result" >&2;} + { echo "$as_me:$LINENO: WARNING: gssapi/gssapi.h: in the future, the compiler will take precedence" >&5 +echo "$as_me: WARNING: gssapi/gssapi.h: in the future, the compiler will take precedence" >&2;} + ( + cat <<\_ASBOX +## ------------------------------------------ ## +## Report this to the AC_PACKAGE_NAME lists. ## +## ------------------------------------------ ## +_ASBOX + ) | + sed "s/^/$as_me: WARNING: /" >&2 + ;; +esac +echo "$as_me:$LINENO: checking for gssapi/gssapi.h" >&5 +echo $ECHO_N "checking for gssapi/gssapi.h... $ECHO_C" >&6 +if test "${ac_cv_header_gssapi_gssapi_h+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + ac_cv_header_gssapi_gssapi_h=$ac_header_preproc +fi +echo "$as_me:$LINENO: result: $ac_cv_header_gssapi_gssapi_h" >&5 +echo "${ECHO_T}$ac_cv_header_gssapi_gssapi_h" >&6 + +fi +if test $ac_cv_header_gssapi_gssapi_h = yes; then + LIBS="$oLIBS -lgssapi" + echo "$as_me:$LINENO: checking for gssapi library -lgssapi" >&5 +echo $ECHO_N "checking for gssapi library -lgssapi... $ECHO_C" >&6 + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +#include + +int +main () +{ +gss_create_empty_oid_set(NULL, NULL) + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 + (eval $ac_link) 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -z "$ac_c_werror_flag" + || test ! -s conftest.err' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; } && + { ac_try='test -s conftest$ac_exeext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + echo "$as_me:$LINENO: result: yes" >&5 +echo "${ECHO_T}yes" >&6 + cons_with_gssapi="YES" + cat >>confdefs.h <<\_ACEOF +#define HAVE_GSSAPI 1 +_ACEOF + + have_gssapi=yes +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +echo "$as_me:$LINENO: result: no" >&5 +echo "${ECHO_T}no" >&6 + LIBS="$oLIBS -lgssglue" + echo "$as_me:$LINENO: checking for gssapi library -lgssglue" >&5 +echo $ECHO_N "checking for gssapi library -lgssglue... $ECHO_C" >&6 + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +#include + +int +main () +{ +gss_create_empty_oid_set(NULL, NULL) + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 + (eval $ac_link) 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -z "$ac_c_werror_flag" + || test ! -s conftest.err' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; } && + { ac_try='test -s conftest$ac_exeext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + echo "$as_me:$LINENO: result: yes" >&5 +echo "${ECHO_T}yes" >&6 + cons_with_gssapi="YES" + cat >>confdefs.h <<\_ACEOF +#define HAVE_GSSAPI 1 +_ACEOF + + have_gssapi=yes +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +echo "$as_me:$LINENO: result: no" >&5 +echo "${ECHO_T}no" >&6 +fi +rm -f conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +fi +rm -f conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +fi + + + + if test $have_gssapi = no; then + LIBS="$oLIBS" + CPPFLAGS="$oCPPFLAGS" + LDFLAGS="$oLDFLAGS" + fi + fi + +fi; + + cons_with_dmalloc="NO" # Check whether --with-dmalloc or --without-dmalloc was given. @@ -8844,6 +9140,7 @@ echo "" echo " Unix domain sockets (--with-uds) : $cons_with_uds" echo " TCP wrappers (--with-libwrap): $cons_with_libwrap" echo " OpenSSL (--with-openssl): $cons_with_openssl" +echo " GSS-API (--with-gssapi) : $cons_with_gssapi" echo " dmalloc (--with-dmalloc): $cons_with_dmalloc" echo " PAM support (--with-pam) : $cons_with_pam" echo "" diff --git a/configure.in b/configure.in index 8bd2620..2c76a79 100644 --- a/configure.in +++ b/configure.in @@ -14,6 +14,7 @@ AH_TEMPLATE([USE_LIBWRAP], [use tcp_wrappers libwrap]) dnl AH_TEMPLATE([HAVE_POSIX_REGCOMP], [have POSIX regcomp]) AH_TEMPLATE([HAVE_PAM], [have PAM support]) AH_TEMPLATE([HAVE_OPENSSL], [have openssl support]) +AH_TEMPLATE([HAVE_GSSAPI], [have gss-api support]) AH_TEMPLATE([HAVE_DMALLOC], [have dmalloc support]) AH_TEMPLATE([HAVE_SA_LEN],[Defined if sa_len member exists in struct sockaddr]) AH_TEMPLATE([TRUST_REVERSE_DNS],[Defined if we trust reverse DNS]) @@ -499,6 +500,60 @@ AC_ARG_WITH(openssl, fi] ) +cons_with_gssapi="NO" +AC_ARG_WITH(gssapi, + AS_HELP_STRING([--with-gssapi@<:@=PATH@:>@], + [Compile in GSS-API support]), + [if test "$withval" != "no"; then + if test "$withval" != "yes"; then + GSSAPICPPFLAGS="-I$withval/include" + if test "$use_dash_r" != "yes"; then + GSSAPILDFLAGS="-L$withval/lib" + else + GSSAPILDFLAGS="-L$withval/lib -R$withval/lib" + fi + else + GSSAPICPPFLAGS="" + GSSAPILDFLAGS="" + fi + + oCPPFLAGS="$CPPFLAGS" + oLDFLAGS="$LDFLAGS" + oLIBS="$LIBS" + have_gssapi=no + + CPPFLAGS="$CPPFLAGS $GSSAPICPPFLAGS" + LDFLAGS="$LDFLAGS $GSSAPILDFLAGS" + + AC_CHECK_HEADER([gssapi/gssapi.h], + [LIBS="$oLIBS -lgssapi" + AC_MSG_CHECKING(for gssapi library -lgssapi) + AC_TRY_LINK([#include + ],[gss_create_empty_oid_set(NULL, NULL)], + [AC_MSG_RESULT(yes) + cons_with_gssapi="YES" + AC_DEFINE(HAVE_GSSAPI) + have_gssapi=yes], + [AC_MSG_RESULT(no) + LIBS="$oLIBS -lgssglue" + AC_MSG_CHECKING(for gssapi library -lgssglue) + AC_TRY_LINK([#include + ],[gss_create_empty_oid_set(NULL, NULL)], + [AC_MSG_RESULT(yes) + cons_with_gssapi="YES" + AC_DEFINE(HAVE_GSSAPI) + have_gssapi=yes], + [AC_MSG_RESULT(no)])])],) + + if test $have_gssapi = no; then + LIBS="$oLIBS" + CPPFLAGS="$oCPPFLAGS" + LDFLAGS="$oLDFLAGS" + fi + fi] +) + + cons_with_dmalloc="NO" AC_ARG_WITH(dmalloc, AS_HELP_STRING([--with-dmalloc@<:@=PATH@:>@], @@ -657,6 +712,7 @@ echo "" echo " Unix domain sockets (--with-uds) : $cons_with_uds" echo " TCP wrappers (--with-libwrap): $cons_with_libwrap" echo " OpenSSL (--with-openssl): $cons_with_openssl" +echo " GSS-API (--with-gssapi) : $cons_with_gssapi" echo " dmalloc (--with-dmalloc): $cons_with_dmalloc" echo " PAM support (--with-pam) : $cons_with_pam" echo "" diff --git a/conserver/cutil.h b/conserver/cutil.h index a9b579a..da1a5ae 100644 --- a/conserver/cutil.h +++ b/conserver/cutil.h @@ -15,6 +15,9 @@ #include #include #endif +#if HAVE_GSSAPI +#include +#endif /* communication constants */ @@ -46,6 +49,9 @@ typedef enum IOState { INSSLACCEPT, INSSLSHUTDOWN, #endif +#if HAVE_GSSAPI + INGSSACCEPT, +#endif ISFLUSHING } IOSTATE; diff --git a/conserver/group.c b/conserver/group.c index ea6bd76..8db89d7 100644 --- a/conserver/group.c +++ b/conserver/group.c @@ -352,7 +352,7 @@ DisconnectCertainClients(pGE, admin, who) return 0; } - if ((console = strchr(who, '@')) != (char *)0) { + if ((console = strrchr(who, '@')) != (char *)0) { *console++ = '\000'; if (*console == '\000') console = (char *)0; @@ -1869,6 +1869,63 @@ AttemptSSL(pCL) } #endif +#if HAVE_GSSAPI +int +#if PROTOTYPES +AttemptGSSAPI(CONSCLIENT *pCL) +#else +AttemptGSSAPI(pCL) + CONSCLIENT *pCL; +#endif +{ + int nr, ret = 0; + char buf[1024]; + gss_buffer_desc sendtok, recvtok, dbuf; + gss_ctx_id_t gssctx = GSS_C_NO_CONTEXT; + OM_uint32 stmaj, stmin, mctx, dmin; + gss_name_t user = 0; + + if ((nr = FileRead(pCL->fd, buf, sizeof(buf))) <= 0) { + return nr; + } + recvtok.value = buf; + recvtok.length = nr; + + stmaj = gss_accept_sec_context(&stmin, &gssctx, gss_mycreds, + &recvtok, NULL, &user, NULL, &sendtok, NULL, NULL, NULL); + switch (stmaj) { + case GSS_S_COMPLETE: + FileSetQuoteIAC(pCL->fd, FLAGFALSE); + FileWrite(pCL->fd, FLAGFALSE, sendtok.value, sendtok.length); + FileSetQuoteIAC(pCL->fd, FLAGTRUE); + pCL->iState = S_NORMAL; + gss_release_buffer(NULL, &sendtok); + BuildString((char *)0, pCL->username); + BuildString((char *)0, pCL->acid); + stmaj = gss_display_name(&stmin, user, &dbuf, NULL); + + BuildStringN(dbuf.value, dbuf.length, pCL->username); + BuildStringN(dbuf.value, dbuf.length, pCL->acid); + BuildStringChar('@', pCL->acid); + BuildString(pCL->peername->string, + pCL->acid); + gss_release_name(&stmin, &user); + gss_release_buffer(NULL, &dbuf); + ret = 1; + break; + case GSS_S_CREDENTIALS_EXPIRED: + /* reacquire creds and try again */ + Error("Credentials expired"); + break; + default: + gss_display_status(&dmin, stmaj, GSS_C_GSS_CODE, GSS_C_NULL_OID, &mctx, &dbuf); + Error("GSSAPI didn't work, %*s", dbuf.length, dbuf.value); + ret = -1; + } + return ret; +} +#endif + CONSENT * #if PROTOTYPES HuntForConsole(GRPENT *pGE, char *name) @@ -2945,6 +3002,7 @@ DoClientRead(pGE, pCLServing) static char *pcArgs; static char *pcCmd; + CONDDEBUG((1, "state = %d", pCLServing->iState)); if ('\n' != acIn[i]) { BuildStringChar(acIn[i], pCLServing->accmd); continue; @@ -2993,6 +3051,9 @@ DoClientRead(pGE, pCLServing) #if HAVE_OPENSSL "ssl start ssl session\r\n", #endif +#if HAVE_GSSAPI + "gssapi log in with gssapi\r\n", +#endif (char *)0 }; static char *apcHelp2[] = { @@ -3033,6 +3094,14 @@ DoClientRead(pGE, pCLServing) return; } #endif +#if HAVE_GSSAPI + } else if (pCLServing->iState == S_IDENT && + strcmp(pcCmd, "gssapi") == 0) { + FileWrite(pCLServing->fd, FLAGFALSE, "ok\r\n", -1); + /* Change the I/O mode right away, we'll do the read + * and accept when the select gets back to us */ + pCLServing->ioState = INGSSACCEPT; +#endif } else if (pCLServing->iState == S_IDENT && strcmp(pcCmd, "login") == 0) { #if HAVE_OPENSSL @@ -3267,6 +3336,7 @@ DoClientRead(pGE, pCLServing) } else { FileWrite(pCLServing->fd, FLAGFALSE, "unknown command\r\n", -1); + CONDDEBUG((1, "command %s state %d", pcCmd, pCLServing->iState)); } BuildString((char *)0, pCLServing->accmd); } else @@ -4651,6 +4721,16 @@ Kiddie(pGE, sfd) } break; #endif +#if HAVE_GSSAPI + case INGSSACCEPT: + { int r; + if ((r = AttemptGSSAPI(pCLServing)) < 0) + DropMasterClient(pCLServing, FLAGFALSE); + else if (r == 1) + pCLServing->ioState = ISNORMAL; + } + break; +#endif case ISNORMAL: if (FileCanRead(pCLServing->fd, &rmask, &wmask)) DoClientRead(pGE, pCLServing); diff --git a/conserver/main.c b/conserver/main.c index 38b66dd..24fbcbe 100644 --- a/conserver/main.c +++ b/conserver/main.c @@ -44,6 +44,9 @@ #if HAVE_OPENSSL # include #endif +#if HAVE_GSSAPI +# include +#endif int fAll = 0, fNoinit = 0, fVersion = 0, fStrip = 0, fReopen = @@ -378,6 +381,40 @@ SetupSSL() } #endif +#if HAVE_GSSAPI +gss_name_t gss_myname = GSS_C_NO_NAME; +gss_cred_id_t gss_mycreds = GSS_C_NO_CREDENTIAL; + +void +#if PROTOTYPES +SetupGSSAPI(void) +#else +SetupGSSAPI() +#endif +{ + OM_uint32 stmaj, stmin; + char namestr[128]; + gss_buffer_desc namebuf; + + snprintf(namestr, 128, "host@%s", myHostname); + namebuf.value = namestr; + namebuf.length = strlen(namestr) + 1; + stmaj = gss_import_name(&stmin, &namebuf, GSS_C_NT_HOSTBASED_SERVICE, + &gss_myname); + /* XXX: handle error */ + if (stmaj != GSS_S_COMPLETE) { + Error("gss_import_name failed"); + } + /* Get some initial credentials */ + stmaj = gss_acquire_cred(&stmin, gss_myname, 0, GSS_C_NULL_OID_SET, + GSS_C_ACCEPT, &gss_mycreds, NULL, NULL); + if (stmaj != GSS_S_COMPLETE) { + Error("Could not acquire GSS-API credentials"); + } + +} +#endif + void #if PROTOTYPES ReopenLogfile(void) @@ -1563,6 +1600,9 @@ main(argc, argv) /* Prep the SSL layer */ SetupSSL(); #endif +#if HAVE_GSSAPI + SetupGSSAPI(); +#endif if (config->daemonmode == FLAGTRUE) Daemonize(); diff --git a/conserver/main.h b/conserver/main.h index 1b59a5a..aae8a10 100644 --- a/conserver/main.h +++ b/conserver/main.h @@ -54,6 +54,10 @@ extern char *interface; #if HAVE_OPENSSL extern SSL_CTX *ctx; #endif +#if HAVE_GSSAPI +extern gss_name_t gss_myname; +extern gss_cred_id_t gss_mycreds; +#endif extern void ReopenLogfile PARAMS((void)); extern void ReopenUnifiedlog PARAMS((void)); extern void DumpDataStructures PARAMS((void)); diff --git a/conserver/master.c b/conserver/master.c index 36622cc..d406b19 100644 --- a/conserver/master.c +++ b/conserver/master.c @@ -494,6 +494,9 @@ DoNormalRead(pCLServing) #if HAVE_OPENSSL "ssl start ssl session\r\n", #endif +#if HAVE_GSSAPI + "gssapi log in with gssapi\r\n", +#endif (char *)0 }; static char *apcHelp2[] = { @@ -532,6 +535,14 @@ DoNormalRead(pCLServing) return; } #endif +#if HAVE_GSSAPI + } else if (pCLServing->iState == S_IDENT && + strcmp(pcCmd, "gssapi") == 0) { + FileWrite(pCLServing->fd, FLAGFALSE, "ok\r\n", -1); + /* Change the I/O mode right away, we'll do the read + * and accept when the select gets back to us */ + pCLServing->ioState = INGSSACCEPT; +#endif } else if (pCLServing->iState == S_IDENT && strcmp(pcCmd, "login") == 0) { #if HAVE_OPENSSL @@ -921,6 +932,16 @@ Master() } break; #endif +#if HAVE_GSSAPI + case INGSSACCEPT: + { int r; + if ((r = AttemptGSSAPI(pCLServing)) < 0) + DropMasterClient(pCLServing, FLAGFALSE); + else if (r == 1) + pCLServing->ioState = ISNORMAL; + } + break; +#endif case ISNORMAL: if (FileCanRead(pCLServing->fd, &rmask, &wmask)) DoNormalRead(pCLServing); diff --git a/console/console.c b/console/console.c index 4ec949b..d868ef0 100644 --- a/console/console.c +++ b/console/console.c @@ -40,6 +40,9 @@ #include #include #endif +#if HAVE_GSSAPI +#include +#endif int fReplay = 0, fVersion = 0; @@ -152,6 +155,81 @@ AttemptSSL(pcf) } #endif +#if HAVE_GSSAPI +gss_name_t gss_server_name = GSS_C_NO_NAME; +gss_ctx_id_t secctx = GSS_C_NO_CONTEXT; +gss_buffer_desc mytok = GSS_C_EMPTY_BUFFER; + +int +#if PROTOTYPES +CanGetGSSContext(const char *servername) +#else +CanGetGSSContext(servername) + const char *servername; +#endif +{ + char namestr[128]; + gss_buffer_desc namebuf, dbuf; + OM_uint32 stmaj, stmin, mctx, dmin; + + snprintf(namestr, 128, "host@%s", servername); + namebuf.value = namestr; + namebuf.length = strlen(namestr) + 1; + stmaj = gss_import_name(&stmin, &namebuf, GSS_C_NT_HOSTBASED_SERVICE, + &gss_server_name); + /* XXX: handle error */ + if (stmaj != GSS_S_COMPLETE) { + Error("gss_import_name failed"); + return 0; + } + secctx = GSS_C_NO_CONTEXT; + mytok.length = 0; mytok.value = NULL; + + stmaj = gss_init_sec_context(&stmin, GSS_C_NO_CREDENTIAL, &secctx, + gss_server_name, GSS_C_NULL_OID, GSS_C_MUTUAL_FLAG, 0, + GSS_C_NO_CHANNEL_BINDINGS, NULL, NULL, + &mytok, NULL, NULL); + + if (stmaj != GSS_S_COMPLETE && stmaj != GSS_S_CONTINUE_NEEDED) { + gss_release_name(&stmin, &gss_server_name); + return 0; + } + return mytok.length; +} + +int +#if PROTOTYPES +AttemptGSSAPI(CONSFILE *pcf) +#else +AttemptGSSAPI(pcf) + CONSFILE *pcf; +#endif +{ + OM_uint32 stmaj, stmin; + gss_buffer_desc servertok; + char buf[1024]; + int nr; + int ret; + + FileSetQuoteIAC(pcf, FLAGFALSE); + FileWrite(pcf, FLAGFALSE, mytok.value, mytok.length); + FileSetQuoteIAC(pcf, FLAGTRUE); + nr = FileRead(pcf, buf, sizeof(buf)); + servertok.length = nr; + servertok.value = buf; + + stmaj = gss_init_sec_context(&stmin, GSS_C_NO_CREDENTIAL, &secctx, + gss_server_name, GSS_C_NULL_OID, GSS_C_MUTUAL_FLAG, 0, + GSS_C_NO_CHANNEL_BINDINGS, &servertok, + NULL, &mytok, NULL, NULL); + gss_release_buffer(NULL, &mytok); + + ret = (stmaj == GSS_S_COMPLETE); + gss_release_name(&stmin, &gss_server_name); + return ret; +} +#endif + /* output a control (or plain) character as a UNIX user would expect it (ksb) */ static void @@ -271,6 +349,9 @@ Version() #if HAVE_OPENSSL "openssl", #endif +#if HAVE_GSSAPI + "gssapi", +#endif #if HAVE_PAM "pam", #endif @@ -1522,6 +1603,9 @@ DoCmds(master, pports, cmdi) char *ports; char *pcopy; char *serverName; +#if HAVE_GSSAPI + int toksize; +#endif if ((pcopy = ports = StrDup(pports)) == (char *)0) OutOfMem(); @@ -1599,6 +1683,17 @@ DoCmds(master, pports, cmdi) } } #endif +#if HAVE_GSSAPI + if ((toksize = CanGetGSSContext(server)) > 0) { + FilePrint(pcf, FLAGFALSE, "gssapi %d\r\n", toksize); + t = ReadReply(pcf, FLAGFALSE); + if (strcmp(t, "ok\r\n") == 0) { + if (AttemptGSSAPI(pcf)) { + goto gssapi_logged_me_in; + } + } + } +#endif FilePrint(pcf, FLAGFALSE, "login %s\r\n", config->username); @@ -1651,6 +1746,9 @@ DoCmds(master, pports, cmdi) FilePrint(cfstdout, FLAGFALSE, "%s: %s", serverName, t); continue; } +#if HAVE_GSSAPI +gssapi_logged_me_in: +#endif /* now that we're logged in, we can do something */ /* if we're on the last cmd or the command is 'call' and we --69pVuxX8awAiJ7fD-- From andras.horvath@cern.ch Thu Sep 17 13:03:13 2009 Received: from cernmx21.cern.ch (cernmx21.cern.ch [137.138.166.182]) by underdog.stansell.org (8.14.3/8.14.3) with ESMTP id n8HD36r9020172 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=FAIL) for ; Thu, 17 Sep 2009 13:03:13 GMT Received: from pcitadc01.cern.ch (137.138.33.142) by cernmxlb.cern.ch (137.138.166.163) with Microsoft SMTP Server id 8.1.375.2; Thu, 17 Sep 2009 15:03:05 +0200 Received: by pcitadc01.cern.ch (Postfix, from userid 1000) id D70A414DC176; Thu, 17 Sep 2009 15:03:04 +0200 (CEST) Date: Thu, 17 Sep 2009 15:03:04 +0200 From: To: Subject: Re: Kerberos authentication? Message-ID: <20090917130304.GO9850@cern.ch> Mail-Followup-To: users@conserver.com References: <20090916153312.GI9850@cern.ch> <20090916172139.GM5654@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-2" Content-Disposition: inline In-Reply-To: <20090916172139.GM5654@redhat.com> User-Agent: Mutt/1.5.18 (2008-05-17) X-Spam-Score: -2.312 () BAYES_00 X-Scanned-By: MIMEDefang 2.67 on 209.182.219.30 X-BeenThere: users@conserver.com X-Mailman-Version: 2.1.12 Precedence: list List-Id: Conserver Users List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Sep 2009 13:03:13 -0000 > Here is my most recent patch with works with libgssapi and libgssglue. Works for me, thank you! Note: authentication info has to be in username@REALM.DOMAIN format instead of just 'username' for krb5 to work. This prevents users from falling back to password authentication if they don't have a token (PAM will come back with 'username' only). :-/ Perhaps a default realm could be supplied somehow? I'm no gssapi expert :-/ > I would love to get this patch upstream. I second that. I've started tracking my (packaging-only) changes in git.. Andras From andras.horvath@cern.ch Fri Sep 18 12:47:27 2009 Received: from cernmx21.cern.ch (cernmx21.cern.ch [137.138.166.182]) by underdog.stansell.org (8.14.3/8.14.3) with ESMTP id n8IClJAI009046 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=FAIL) for ; Fri, 18 Sep 2009 12:47:26 GMT Received: from pcitadc01.cern.ch (137.138.33.142) by cernmxlb.cern.ch (137.138.166.163) with Microsoft SMTP Server id 8.1.375.2; Fri, 18 Sep 2009 14:47:18 +0200 Received: by pcitadc01.cern.ch (Postfix, from userid 1000) id 8D8DC14DC197; Fri, 18 Sep 2009 14:47:18 +0200 (CEST) Date: Fri, 18 Sep 2009 14:47:18 +0200 From: To: Subject: Re: Kerberos authentication? Message-ID: <20090918124718.GU9850@cern.ch> Mail-Followup-To: users@conserver.com References: <20090916153312.GI9850@cern.ch> <20090916172139.GM5654@redhat.com> <20090917130304.GO9850@cern.ch> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="ZoaI/ZTpAVc4A5k6" Content-Disposition: inline In-Reply-To: <20090917130304.GO9850@cern.ch> User-Agent: Mutt/1.5.18 (2008-05-17) X-Spam-Score: -2.312 () BAYES_00 X-Scanned-By: MIMEDefang 2.67 on 209.182.219.30 X-BeenThere: users@conserver.com X-Mailman-Version: 2.1.12 Precedence: list List-Id: Conserver Users List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Sep 2009 12:47:27 -0000 --ZoaI/ZTpAVc4A5k6 Content-Type: text/plain; charset="iso-8859-2" Content-Disposition: inline On Thu, Sep 17, 2009 at 03:03:04PM +0200, Andras.Horvath@cern.ch wrote: > > Note: authentication info has to be in username@REALM.DOMAIN format > instead of just 'username' for krb5 to work. This prevents users from > falling back to password authentication if they don't have a token (PAM > will come back with 'username' only). :-/ Perhaps a default realm could > be supplied somehow? I'm no gssapi expert :-/ Ahm, well, attached is a hack that, if logging in with a given username fails, retries login with any '@REALM' parts stripped off. (The whole patch only makes sense together with Nate's GSSAPI patch.) This serves me right for Kerberos and should be backwards compatible unless you use both 'bozouser' and 'bozouser@bozo.com' as usernames and they're two different people. Disclaimer: I'm not an experienced C programmer -- please feel free to criticize and/or fix. Andras --ZoaI/ZTpAVc4A5k6 Content-Type: text/x-diff; charset="iso-8859-2" Content-Disposition: attachment; filename="conserver-8.1.16-krb5strip.patch" diff --git a/conserver/group.c b/conserver/group.c index ea6bd76..86e87a0 100644 --- a/conserver/group.c +++ b/conserver/group.c @@ -77,6 +77,11 @@ #include #endif +# if HAVE_GSSAPI +#include +#include +#endif + /* flags that a signal has occurred */ static sig_atomic_t fSawChldHUP = 0, fSawReUp = 0, fSawGoAway = @@ -519,10 +524,47 @@ ClientAccess(pCE, user) char *user; #endif { - if (ConsentUserOk(pCE->rw, user) == 1) - return 0; - if (ConsentUserOk(pCE->ro, user) == 1) - return 1; +#if HAVE_GSSAPI + /* this will be 'user@REALM' stripped of '@REALM', if any */ + char *shortname; +#endif + if (ConsentUserOk(pCE->rw, user) == 1) { + return 0; + } + if (ConsentUserOk(pCE->ro, user) == 1) { + return 1; + } +#if HAVE_GSSAPI + /* try the username without @REALM against the ACL + * this allows for falling back to PAM from kerberos5/gssapi + * as the latter uses 'user@REALM' and the former only 'user' + */ + CONDDEBUG((1, "Authenticating user %s",user )); + /* %m is defined in glibc 2.7 and onwards, and %a stops working there */ +#if defined GLIBC_2_7 + if (1==sscanf(user,"%m[^@]",&shortname)) { +#else + if (1==sscanf(user,"%a[^@]",&shortname)) { +#endif + CONDDEBUG((1, "Shortname computed from %s is %s", user, shortname)); + if (ConsentUserOk(pCE->rw, shortname) == 1) { + CONDDEBUG(("User %s logged in rw, using shortname %s",user,shortname)); + free(shortname); + return 0; + } + if (ConsentUserOk(pCE->ro, shortname) == 1) { + CONDDEBUG(("User %s logged in ro, using shortname %s",user,shortname)); + free(shortname); + return 1; + } + free(shortname); + } else if (errno != 0) { + Msg( "ClientAccess(): sscanf on %s failed, errno %d",user,errno ); + } else { + CONDDEBUG((1, "Sscanf on %s failed, no match for `@' for shortname",user )); + } +#endif + CONDDEBUG((1, "Login OK but permission denied for %s", user)); return -1; } --ZoaI/ZTpAVc4A5k6-- From andras.horvath@cern.ch Mon Sep 21 15:37:43 2009 Received: from cernmx20.cern.ch (cernmx20.cern.ch [137.138.166.184]) by underdog.stansell.org (8.14.3/8.14.3) with ESMTP id n8LFbaum017465 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=FAIL) for ; Mon, 21 Sep 2009 15:37:43 GMT Received: from pcitadc01.cern.ch (137.138.33.142) by cernmxlb.cern.ch (137.138.166.163) with Microsoft SMTP Server id 8.1.375.2; Mon, 21 Sep 2009 17:37:34 +0200 Received: by pcitadc01.cern.ch (Postfix, from userid 1000) id DD55C14DC1A0; Mon, 21 Sep 2009 17:37:34 +0200 (CEST) Date: Mon, 21 Sep 2009 17:37:34 +0200 From: To: Subject: 'console' exit status Message-ID: <20090921153734.GL9850@cern.ch> Mail-Followup-To: users@conserver.com MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-2" Content-Disposition: inline User-Agent: Mutt/1.5.18 (2008-05-17) X-Spam-Score: -2.312 () BAYES_00 X-Scanned-By: MIMEDefang 2.67 on 209.182.219.30 X-BeenThere: users@conserver.com X-Mailman-Version: 2.1.12 Precedence: list List-Id: Conserver Users List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Sep 2009 15:37:44 -0000 Hi, Shouldn't 'console' return with an exit status other than 0 if the connection failed? Andras From bryan@stansell.org Tue Sep 22 06:31:06 2009 Received: from underdog.stansell.org (localhost [127.0.0.1]) by underdog.stansell.org (8.14.3/8.14.3) with ESMTP id n8M6V6bW009585 for ; Tue, 22 Sep 2009 06:31:06 GMT Received: (from bryan@localhost) by underdog.stansell.org (8.14.3/8.14.3/Submit) id n8M6V6J5009584 for users@conserver.com; Mon, 21 Sep 2009 23:31:06 -0700 (PDT) Date: Mon, 21 Sep 2009 23:31:06 -0700 From: Bryan Stansell To: users@conserver.com Subject: Re: 'console' exit status Message-ID: <20090922063106.GD13259@underdog.stansell.org> References: <20090921153734.GL9850@cern.ch> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20090921153734.GL9850@cern.ch> User-Agent: Mutt/1.4.2.3i X-Scanned-By: MIMEDefang 2.67 on 209.182.219.30 X-BeenThere: users@conserver.com X-Mailman-Version: 2.1.12 Precedence: list List-Id: Conserver Users List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Sep 2009 06:31:07 -0000 It should, and it looks like it isn't. It exits non-zero if there's a "hard" error (for lack of a better term - out of memory, ssl protocol failure, etc), but for "soft" stuff like failing to authenticate, not finding a console, etc it doesn't. It really should, though. I'll need to work on that. Bryan On Mon, Sep 21, 2009 at 05:37:34PM +0200, Andras.Horvath@cern.ch wrote: > Hi, > > Shouldn't 'console' return with an exit status other than 0 if the > connection failed? > > Andras > _______________________________________________ > users mailing list > users@conserver.com > https://www.conserver.com/mailman/listinfo/users From ebiederm@aristanetworks.com Fri Sep 25 05:48:41 2009 Received: from mail-px0-f194.google.com (mail-px0-f194.google.com [209.85.216.194]) by underdog.stansell.org (8.14.3/8.14.3) with ESMTP id n8P5mZGi015202 for ; Fri, 25 Sep 2009 05:48:41 GMT Received: by pxi32 with SMTP id 32so1094041pxi.4 for ; Thu, 24 Sep 2009 22:48:35 -0700 (PDT) MIME-Version: 1.0 Received: by 10.142.66.34 with SMTP id o34mr325251wfa.262.1253857715130; Thu, 24 Sep 2009 22:48:35 -0700 (PDT) Date: Thu, 24 Sep 2009 22:48:35 -0700 Message-ID: Subject: [PATCH] open conserver client connections in nonblocking mode From: Eric Biederman To: users@conserver.com Content-Type: multipart/mixed; boundary=001636e908f7b591500474607f50 X-Spam-Score: -2.312 () BAYES_00 X-Scanned-By: MIMEDefang 2.67 on 209.182.219.30 X-BeenThere: users@conserver.com X-Mailman-Version: 2.1.12 Precedence: list List-Id: Conserver Users List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Sep 2009 05:48:41 -0000 --001636e908f7b591500474607f50 Content-Type: text/plain; charset=ISO-8859-1 I recently tracked down a nasty conserver stall to the fact that conserver opens connections to the console program and leaves the socket in blocking mode, due to what looks like a silly typo. The attached patch fixes that typo, and prevents the stall I was seeing from happening. Eric --001636e908f7b591500474607f50 Content-Type: text/x-patch; charset=US-ASCII; name="conserver-8.1.16-nonblocking.patch" Content-Disposition: attachment; filename="conserver-8.1.16-nonblocking.patch" Content-Transfer-Encoding: base64 X-Attachment-Id: f_g00igwj40 LS0tIGNvbnNlcnZlci04LjEuMTYvY29uc2VydmVyL2dyb3VwLmMtb3JpZwkyMDA5LTA5LTI0IDE0 OjIxOjA3Ljc1MzUwNDM5MSAtMDcwMAorKysgY29uc2VydmVyLTguMS4xNi9jb25zZXJ2ZXIvZ3Jv dXAuYwkyMDA5LTA5LTI0IDE0OjIxOjExLjgxNzUwMjY5NCAtMDcwMApAQCAtNDcxNiw3ICs0NzE2 LDcgQEAKIAkgICAgY29udGludWU7CiAJfQogCi0JaWYgKFNldEZsYWdzKHNmZCwgT19OT05CTE9D SywgMCkpIHsKKwlpZiAoU2V0RmxhZ3MoZmQsIE9fTk9OQkxPQ0ssIDApKSB7CiAJICAgIHBHRS0+ cENMZnJlZS0+ZmQgPSBGaWxlT3BlbkZEKGZkLCBzaW1wbGVTb2NrZXQpOwogCSAgICBGaWxlU2V0 UXVvdGVJQUMocEdFLT5wQ0xmcmVlLT5mZCwgRkxBR1RSVUUpOwogCX0gZWxzZQo= --001636e908f7b591500474607f50-- From bryan@stansell.org Tue Sep 29 15:37:59 2009 Received: from underdog.stansell.org (localhost [127.0.0.1]) by underdog.stansell.org (8.14.3/8.14.3) with ESMTP id n8TFbxYU025753; Tue, 29 Sep 2009 15:37:59 GMT Received: (from bryan@localhost) by underdog.stansell.org (8.14.3/8.14.3/Submit) id n8TFbxhk025752; Tue, 29 Sep 2009 08:37:59 -0700 (PDT) Date: Tue, 29 Sep 2009 08:37:59 -0700 From: Bryan Stansell To: users@conserver.com, announce@conserver.com Subject: conserver-8.1.17 is available Message-ID: <20090929153759.GT13259@underdog.stansell.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.2.3i X-Scanned-By: MIMEDefang 2.67 on 209.182.219.30 X-BeenThere: users@conserver.com X-Mailman-Version: 2.1.12 Precedence: list List-Id: Conserver Users List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Sep 2009 15:38:00 -0000 After an incredibly long delay, version 8.1.17 is finally out. Sorry for both the length of time and any missing features I may have promised an individual. These are the patches and fixes (mostly very recent activity) that I could pull together. If you have a patch that I've overlooked, please send it to me again. There are one or two features I haven't implemented that I've been thinking about, but for consistency, I'd love to have an email reinforcing the desire for any missing features as well. The bottom line is that over the last year or so, my tracking of these things has fallen apart (for personal reasons). But things are getting back on track now and I need a little help knowing what's still important to folks. Thanks! version 8.1.17 (Sep 29, 2009): - fix for interface detection when HAVE_SA_LEN is defined - first detected on NetBSD 5.0 and patched by Chris Ross - first person to connect to a console wanting read/write now gets it once the active user drops read/write - suggested by Thomas Gardner - fix typo when setting nonblocking socket for client connections, fixing stall issues - patch by Eric Biederman - GSS-API patch (--with-gssapi) to help with Kerberos tokens - patch by Nate Straz - authenticate username without @REALM when using GSS-API (--with-striprealm) - based on patch by Andras Horvath - various contrib/redhat-rpm fixes - patch by Fabien Wernli - fix handling of read(stdin) returning -1 in console client - patch by Ed Swierk Bryan Stansell From erichey@hq.speakeasy.net Tue Sep 29 18:11:16 2009 Received: from sea5exht1.sea5.speakeasy.net (sea5exht1.sea5.speakeasy.net [66.253.24.33]) by underdog.stansell.org (8.14.3/8.14.3) with ESMTP id n8TIBArC000791 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO) for ; Tue, 29 Sep 2009 18:11:15 GMT Received: from e510192.speakeasy.hq (66.93.179.125) by sea5exht1.speakeasy.hq (10.0.19.35) with Microsoft SMTP Server (TLS) id 8.1.375.2; Tue, 29 Sep 2009 11:11:09 -0700 Date: Tue, 29 Sep 2009 11:10:42 -0700 From: Eric Heydrick X-X-Sender: erichey@jed.sea0.speakeasy.net To: Subject: 8.1.17 spec file issue Message-ID: User-Agent: Alpine 2.00 (DEB 1167 2008-08-23) MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" X-Spam-Score: -2.312 () BAYES_00 X-Scanned-By: MIMEDefang 2.67 on 209.182.219.30 X-BeenThere: users@conserver.com X-Mailman-Version: 2.1.12 Precedence: list List-Id: Conserver Users List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Sep 2009 18:11:16 -0000 The spec file included with conserver 8.1.17 references a defaults file that's supposed to be in contrib/redhat-rpm/conserver.defaults but that file is missing so the build fails. -Eric From fabien@faxm0dem.org Tue Sep 29 20:18:04 2009 Received: from ccsrelay01.in2p3.fr (ccsrelay01.in2p3.fr [134.158.66.51]) by underdog.stansell.org (8.14.3/8.14.3) with ESMTP id n8TKHuDJ008750 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Tue, 29 Sep 2009 20:18:03 GMT Received: from leda.faxm0dem.org (faxm0dem.org [82.224.162.122]) (authenticated bits=0) by ccsrelay01.in2p3.fr (8.14.2/8.14.2/IN2P3) with ESMTP id n8TKHsWq007838 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Tue, 29 Sep 2009 22:17:55 +0200 Received: from localhost (localhost.localdomain [127.0.0.1]) by leda.faxm0dem.org (Postfix) with ESMTP id 734708336 for ; Tue, 29 Sep 2009 22:17:54 +0200 (CEST) Received: from leda.faxm0dem.org ([127.0.0.1]) by localhost (localhost.localdomain [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HoFFNuREgvNe for ; Tue, 29 Sep 2009 22:17:54 +0200 (CEST) Received: by leda.faxm0dem.org (Postfix, from userid 1000) id 091248337; Tue, 29 Sep 2009 22:17:53 +0200 (CEST) Date: Tue, 29 Sep 2009 22:17:53 +0200 From: Fabien Wernli To: users@conserver.com Subject: Re: 8.1.17 spec file issue Message-ID: <20090929201753.GO19707@faxm0dem.org> Mail-Followup-To: users@conserver.com References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Organization: CC-IN2P3 (CNRS) User-Agent: Mutt/1.5.18 (2008-05-17) X-Spam-Score: -2.312 () BAYES_00 X-Scanned-By: MIMEDefang 2.67 on 209.182.219.30 X-BeenThere: users@conserver.com X-Mailman-Version: 2.1.12 Precedence: list Reply-To: wernli@in2p3.fr List-Id: Conserver Users List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Sep 2009 20:18:04 -0000 Hi, On Tue, Sep 29, 2009 at 11:10:42AM -0700, Eric Heydrick wrote: > The spec file included with conserver 8.1.17 references a defaults file > that's supposed to be in contrib/redhat-rpm/conserver.defaults but that > file is missing so the build fails. I am responsible for the inclusion of that file. Either I forgot to include it into my patch, or Bryan did :) I'll check tomorrow on my side Sorry for the inconvenience From bryan@stansell.org Tue Sep 29 20:26:53 2009 Received: from underdog.stansell.org (localhost [127.0.0.1]) by underdog.stansell.org (8.14.3/8.14.3) with ESMTP id n8TKQrXP008917 for ; Tue, 29 Sep 2009 20:26:53 GMT Received: (from bryan@localhost) by underdog.stansell.org (8.14.3/8.14.3/Submit) id n8TKQrn8008916 for users@conserver.com; Tue, 29 Sep 2009 13:26:53 -0700 (PDT) Date: Tue, 29 Sep 2009 13:26:53 -0700 From: Bryan Stansell To: users@conserver.com Subject: Re: 8.1.17 spec file issue Message-ID: <20090929202653.GW13259@underdog.stansell.org> References: <20090929201753.GO19707@faxm0dem.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20090929201753.GO19707@faxm0dem.org> User-Agent: Mutt/1.4.2.3i X-Scanned-By: MIMEDefang 2.67 on 209.182.219.30 X-BeenThere: users@conserver.com X-Mailman-Version: 2.1.12 Precedence: list List-Id: Conserver Users List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Sep 2009 20:26:53 -0000 Ahh! Sorry about that. It was me...I forgot to update my packaging script. I'll get this fixed and out soon. Bryan On Tue, Sep 29, 2009 at 10:17:53PM +0200, Fabien Wernli wrote: > Hi, > > On Tue, Sep 29, 2009 at 11:10:42AM -0700, Eric Heydrick wrote: > > The spec file included with conserver 8.1.17 references a defaults file > > that's supposed to be in contrib/redhat-rpm/conserver.defaults but that > > file is missing so the build fails. > > I am responsible for the inclusion of that file. > Either I forgot to include it into my patch, or Bryan did :) > > I'll check tomorrow on my side > > Sorry for the inconvenience > > _______________________________________________ > users mailing list > users@conserver.com > https://www.conserver.com/mailman/listinfo/users From bryan@stansell.org Tue Sep 29 23:01:25 2009 Received: from underdog.stansell.org (localhost [127.0.0.1]) by underdog.stansell.org (8.14.3/8.14.3) with ESMTP id n8TN1Pwm013304; Tue, 29 Sep 2009 23:01:25 GMT Received: (from bryan@localhost) by underdog.stansell.org (8.14.3/8.14.3/Submit) id n8TN1P1h013303; Tue, 29 Sep 2009 16:01:25 -0700 (PDT) Date: Tue, 29 Sep 2009 16:01:25 -0700 From: Bryan Stansell To: announce@conserver.com, users@conserver.com Subject: Re: 8.1.17 spec file issue Message-ID: <20090929230125.GX13259@underdog.stansell.org> References: <20090929201753.GO19707@faxm0dem.org> <20090929202653.GW13259@underdog.stansell.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20090929202653.GW13259@underdog.stansell.org> User-Agent: Mutt/1.4.2.3i X-Scanned-By: MIMEDefang 2.67 on 209.182.219.30 X-BeenThere: users@conserver.com X-Mailman-Version: 2.1.12 Precedence: list List-Id: Conserver Users List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Sep 2009 23:01:25 -0000 Since I've only seen a handful of hits grabbing version 8.1.17, I've gone ahead and just added the missing file to the tarball. For anyone that snagged a copy and needs to build using the contributed redhat rpm files, please get another copy (the new file size is 322906 bytes, for reference). Sorry about all that. :-( Bryan On Tue, Sep 29, 2009 at 01:26:53PM -0700, Bryan Stansell wrote: > Ahh! Sorry about that. It was me...I forgot to update my packaging > script. I'll get this fixed and out soon. > > Bryan > > On Tue, Sep 29, 2009 at 10:17:53PM +0200, Fabien Wernli wrote: > > Hi, > > > > On Tue, Sep 29, 2009 at 11:10:42AM -0700, Eric Heydrick wrote: > > > The spec file included with conserver 8.1.17 references a defaults file > > > that's supposed to be in contrib/redhat-rpm/conserver.defaults but that > > > file is missing so the build fails. > > > > I am responsible for the inclusion of that file. > > Either I forgot to include it into my patch, or Bryan did :) > > > > I'll check tomorrow on my side > > > > Sorry for the inconvenience > > > > _______________________________________________ > > users mailing list > > users@conserver.com > > https://www.conserver.com/mailman/listinfo/users > _______________________________________________ > users mailing list > users@conserver.com > https://www.conserver.com/mailman/listinfo/users From benbatten@gmail.com Wed Sep 30 12:10:47 2009 Received: from mail-ew0-f206.google.com (mail-ew0-f206.google.com [209.85.219.206]) by underdog.stansell.org (8.14.3/8.14.3) with ESMTP id n8UCAeuf017400 for ; Wed, 30 Sep 2009 12:10:46 GMT Received: by ewy2 with SMTP id 2so5248635ewy.34 for ; Wed, 30 Sep 2009 05:10:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type; bh=8O/Knh917gPw5nfVGbgO+L3jQCa5QsS1gbn2UTYSn2Y=; b=GoQUFJl4z/Fq+hzJ7IxO919XEek5X0tOZTE0fTp+ru/VuEQ19VFbm3TYmpGQ/5np/N a84c0iVXpeBYOBrn7+xFTIeN8kUeWy50zciujs81cTMr9rlH3M5XThOgdOlrl0qSA6Gr VgBloy0krxEle6p2vY6J+I35kDZZY9zVN7PKQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=Imd6b9HNemegPq2vlCpEzw6IYL1nQb7cdbMG4EUMMDlfCE9nr2YSy75oC693XKgT9W IOZT26p+QTwqFP//TpBZzEbZ+7RHOB50DaDHZIi0l2tEpYJCRZncFtdfP46YBevvRaUO Fvk5QBCpPcc9RnlI5vV1YRG8LVqPt1pj6PIJI= MIME-Version: 1.0 Received: by 10.216.88.75 with SMTP id z53mr1307380wee.46.1254312639768; Wed, 30 Sep 2009 05:10:39 -0700 (PDT) Date: Wed, 30 Sep 2009 08:10:39 -0400 Message-ID: <802f42640909300510g436690feh7409a6dafaaeb01b@mail.gmail.com> Subject: Script Exit/Reinitialization From: Ben Batten To: users@conserver.com Content-Type: text/plain; charset=ISO-8859-1 X-Spam-Score: -2.312 () BAYES_00 X-Scanned-By: MIMEDefang 2.67 on 209.182.219.30 X-BeenThere: users@conserver.com X-Mailman-Version: 2.1.12 Precedence: list List-Id: Conserver Users List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Sep 2009 12:10:47 -0000 All-- Apologies in advance if these have been asked-and-answered but with Googling and experimenting I haven't been able to find a configuration yet ... has anyone done either of the following: - pass or embed a console-exit -- "^Ec." -- through a forced ssh command. Ie., running a forced script (menu) and an option is to exit and thereby close the console. Like an expect line or something similar? - or is there a way to simply disable the reinitialization or limit it to a single ondemand initialization? Thanks! Ben-- From wernli@in2p3.fr Wed Sep 30 13:40:09 2009 Received: from ccsrelay01.in2p3.fr (ccsrelay01.in2p3.fr [134.158.66.51]) by underdog.stansell.org (8.14.3/8.14.3) with ESMTP id n8UDe2dh019437 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Wed, 30 Sep 2009 13:40:08 GMT Received: from ccswiss.in2p3.fr (ccswissrp.in2p3.fr [134.158.71.221]) (authenticated bits=0) by ccsrelay01.in2p3.fr (8.14.2/8.14.2/IN2P3) with ESMTP id n8UDe0tu010594 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Wed, 30 Sep 2009 15:40:00 +0200 Received: by ccswiss.in2p3.fr (Postfix, from userid 3942) id 9F3BCC0FB; Wed, 30 Sep 2009 15:40:00 +0200 (CEST) Date: Wed, 30 Sep 2009 15:40:00 +0200 From: Fabien Wernli To: users@conserver.com Subject: Re: Script Exit/Reinitialization Message-ID: <20090930133959.GB15930@ccswiss.in2p3.fr> Mail-Followup-To: users@conserver.com References: <802f42640909300510g436690feh7409a6dafaaeb01b@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <802f42640909300510g436690feh7409a6dafaaeb01b@mail.gmail.com> Organization: CC-IN2P3 (CNRS) User-Agent: Mutt/1.5.20 (2009-06-14) X-Spam-Score: -2.312 () BAYES_00 X-Scanned-By: MIMEDefang 2.67 on 209.182.219.30 X-BeenThere: users@conserver.com X-Mailman-Version: 2.1.12 Precedence: list Reply-To: wernli@in2p3.fr List-Id: Conserver Users List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Sep 2009 13:40:09 -0000 Hi, On Wed, Sep 30, 2009 at 08:10:39AM -0400, Ben Batten wrote: > - pass or embed a console-exit -- "^Ec." -- through a forced ssh > command. Ie., running a forced script (menu) and an option is to exit > and thereby close the console. Like an expect line or something > similar? not sure what you mean by "forced script (menu)", but for what it's worth I've got two very simple expect scripts to up and down a console > - or is there a way to simply disable the reinitialization or limit it > to a single ondemand initialization? sure is - check out the conserver.cf manpage From benbatten@gmail.com Wed Sep 30 14:24:28 2009 Received: from mail-ew0-f206.google.com (mail-ew0-f206.google.com [209.85.219.206]) by underdog.stansell.org (8.14.3/8.14.3) with ESMTP id n8UEOLeD020738 for ; Wed, 30 Sep 2009 14:24:28 GMT Received: by ewy2 with SMTP id 2so5373759ewy.34 for ; Wed, 30 Sep 2009 07:24:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type; bh=8EVRws2IyFxeQNhtdfbF456ADWFCF3RoVLdri7yU1vg=; b=rb84bTr1G6Twg/oS2hV8e+MFkl6nD2anDcCmJwuirikIEgv4lVnsQi7PmJJYMB7Nrc YiCy7Ckn9Br3y7cF/YHryi8dCGcm9dUuUGMKMzZFEa5i87vo1UFOzJV97bpv8jGawjAg aYLfDyixeCYfJJJJ2eKYnqi+9WYZTP2g7AUVc= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=KQZCFGlrgxkXMvX9x5HoXm9RbLmjEtBqy0FxMzMS9U9uMm7TGNFLPsmSf6GM0UMCr7 C3rha99JZZtF38g212OY1c8xWqwVBIFYzTfjxwl7jZPj74Htx//E9MORIFFDL5S1Boqu Bfr/A0Z49886f40Ox9Q+hMSo6sfwiPS0946s4= MIME-Version: 1.0 Received: by 10.216.21.138 with SMTP id r10mr1380967wer.3.1254320658102; Wed, 30 Sep 2009 07:24:18 -0700 (PDT) In-Reply-To: <802f42640909300510g436690feh7409a6dafaaeb01b@mail.gmail.com> References: <802f42640909300510g436690feh7409a6dafaaeb01b@mail.gmail.com> Date: Wed, 30 Sep 2009 10:24:17 -0400 Message-ID: <802f42640909300724h6ff57e79ob793d0427970e21b@mail.gmail.com> Subject: Re: Script Exit/Reinitialization From: Ben Batten To: users@conserver.com Content-Type: text/plain; charset=ISO-8859-1 X-Spam-Score: -2.312 () BAYES_00 X-Scanned-By: MIMEDefang 2.67 on 209.182.219.30 X-BeenThere: users@conserver.com X-Mailman-Version: 2.1.12 Precedence: list List-Id: Conserver Users List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Sep 2009 14:24:28 -0000 > Hi, > > >> - pass or embed a console-exit -- "^Ec." -- through a forced ssh >> command. Ie., running a forced script (menu) and an option is to exit >> and thereby close the console. Like an expect line or something >> similar? > > not sure what you mean by "forced script (menu)", but for what it's worth > I've got two very simple expect scripts to up and down a console Forced commands are a feature of SSH, you can force a user to only run a script or program at login. One can force a user to only run a script/command or do other things and exit from the system when done. > >> - or is there a way to simply disable the reinitialization or limit it >> to a single ondemand initialization? > >> sure is - check out the conserver.cf manpage I've been up and down the manpage and I see some things that control the initialization but nothing jumps out at me other than "autoreinit" ... I tried "!autoreinit" and that didn't work. I see the spin configuration options, is that what you're talking about. It's not clear to me how to configure it. I'll experiment but if anyone has any tips or pointers for configuring those that would be great. Again, thanks! From andras.horvath@cern.ch Wed Sep 30 14:32:51 2009 Received: from cernmx21.cern.ch (cernmx21.cern.ch [137.138.166.182]) by underdog.stansell.org (8.14.3/8.14.3) with ESMTP id n8UEWjEe020880 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=FAIL) for ; Wed, 30 Sep 2009 14:32:51 GMT Received: from pcitadc01.cern.ch (137.138.33.142) by cernmxlb.cern.ch (137.138.166.163) with Microsoft SMTP Server id 8.1.375.2; Wed, 30 Sep 2009 16:32:41 +0200 Received: by pcitadc01.cern.ch (Postfix, from userid 1000) id 0BEB014DC18F; Wed, 30 Sep 2009 16:32:41 +0200 (CEST) Date: Wed, 30 Sep 2009 16:32:41 +0200 From: To: Subject: Re: Script Exit/Reinitialization Message-ID: <20090930143241.GC9855@cern.ch> Mail-Followup-To: users@conserver.com References: <802f42640909300510g436690feh7409a6dafaaeb01b@mail.gmail.com> <802f42640909300724h6ff57e79ob793d0427970e21b@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-2" Content-Disposition: inline In-Reply-To: <802f42640909300724h6ff57e79ob793d0427970e21b@mail.gmail.com> User-Agent: Mutt/1.5.18 (2008-05-17) X-Spam-Score: -2.312 () BAYES_00 X-Scanned-By: MIMEDefang 2.67 on 209.182.219.30 X-BeenThere: users@conserver.com X-Mailman-Version: 2.1.12 Precedence: list List-Id: Conserver Users List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Sep 2009 14:32:52 -0000 On Wed, Sep 30, 2009 at 04:24:17PM +0200, Ben Batten wrote: > ... I tried "!autoreinit" and that didn't work. I see the spin I use default * { options reinitoncc,!autoreinit; } and it works for me. Andras