[Date Prev] [Date Index] [Date Next] [Thread Prev] [Thread Index] [Thread Next]
Luke S Crawford email@example.com
Fri, 10 Dec 2010 19:02:56 GMT
Bryan Stansell <firstname.lastname@example.org> writes: > There's also a "limited" access type for restricting what users can do, which might help. It was added for a setup where a user logs into the conserver host and their shell is a script that invokes console with the appropriate console name. That could be a program that lets them chose their console too, if there are multiple. That sounds like part of what I need. In the past I just used a FreeBSD box with the proper 'cu' command line in the 'forced command' field of the authorized_keys file. My xen hosts do something similar only it goes to a script that allows you to reboot your xen server or see the console. The problem is that this requires (very limited) ssh access to the dom0 from the public 'net, which is something I'd rather avoid. As xen provides me with a pty for each guest, I could probably make conserver also handle my xen guests, with a central conserver connecting to slave conservers on each dom0 (or alternately having a guest running conserver on each dom0 that connects to the dom0 conserver over a private network) My worry, of course, with centralizing my console server is that I'll be creating a single server that, if compromised, will give an attacker a toehold on all my customer's boxes. One thought I had was to separate out the systems used for the serial console and for the rebooter on to different systems (authenticated with public key, of course, so the user can use the same token to authenticate both places, but also so that if the attacker compromises one system s/he can't use that as a toehold to compromise the other.) My thought is that if magicsysrq is disabled, even if someone compromises my console system, they can only break into the systems with weak passwords (or people who log in) - the idea being that if I notice the compromise quickly, I may only have a few customers compromised. If the rebooter system is compromised and not the console system, the attacker can reboot stuff or even turn everyone off, but without also having access to the console system, this wouldn't allow them to compromise data.