[Date Prev] [Date Index] [Date Next] [Thread Prev] [Thread Index] [Thread Next]

Re: On the wisdom of using conserver in a multi-tenant environment

Luke S Crawford lsc@prgmr.com
Fri, 10 Dec 2010 19:02:56 GMT

Bryan Stansell <bryan@conserver.com> writes:

> There's also a "limited" access type for restricting what users can do, which might help. It was added for a setup where a user logs into the conserver host and their shell is a script that invokes console with the appropriate console name. That could be a program that lets them chose their console too, if there are multiple.

That sounds like part of what I need.   In the past I just used a
FreeBSD box with the proper 'cu' command line in the 'forced command'
field of the authorized_keys file.  My xen hosts do something similar
only it goes to a script that allows you to reboot your xen server or
see the console.   The problem is that this requires (very limited)
ssh access to the dom0 from the public 'net, which is something I'd rather 

As xen provides me with a pty for each guest,  I could probably
make conserver also handle my xen guests, with a central conserver connecting
to slave conservers on each dom0 (or alternately having a guest running
conserver on each dom0 that connects to the dom0 conserver over a private

My worry, of course, with centralizing my console server is that I'll
be creating a single server that, if compromised, will give an attacker
a toehold on all my customer's boxes.

One thought I had was to separate out the systems used for the
serial console and for the rebooter on to different systems
(authenticated with public key, of course, so the user can use
the same token to authenticate both places, but also so that
if the attacker compromises one system s/he can't use that as a 
toehold to compromise the other.) 

My thought is that if magicsysrq is disabled, even if someone 
compromises my console system, they can only break into the systems
with weak passwords (or people who log in)  - the idea being that
if I notice the compromise quickly, I may only have a few customers
compromised.  If the rebooter system is compromised and not the
console system,  the attacker can reboot stuff or even turn
everyone off, but without also having access to the console system, 
this wouldn't allow them to compromise data.