From tls@coyotepoint.com Mon Nov 1 22:19:34 2010 Received: from mail2.panix.com (mail2.panix.com [166.84.1.73]) by underdog.stansell.org (8.14.4/8.14.4) with ESMTP id oA1MJSFt011310 for ; Mon, 1 Nov 2010 22:19:34 GMT Received: from mailbackend.panix.com (mailbackend.panix.com [166.84.1.89]) by mail2.panix.com (Postfix) with ESMTP id 9B43638E45 for ; Mon, 1 Nov 2010 18:19:28 -0400 (EDT) Received: from maxey.hvg.tjls.com (ool-44c3d08a.static.optonline.net [68.195.208.138]) by mailbackend.panix.com (Postfix) with ESMTP id 92D2B32F9A for ; Mon, 1 Nov 2010 18:19:28 -0400 (EDT) Received: by maxey.hvg.tjls.com (Postfix, from userid 501) id 21B4E7C6AE2; Mon, 1 Nov 2010 18:19:28 -0400 (EDT) Date: Mon, 1 Nov 2010 18:19:28 -0400 From: Thor Simon To: users@conserver.com Subject: SSL: how to tell client what certificate to expect? Message-ID: <20101101221928.GA3261@coyotepoint.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.2.3i X-Spam-Score: 1.242 (*) BAYES_00,FH_DATE_PAST_20XX X-Scanned-By: MIMEDefang 2.67 on 209.182.219.30 X-BeenThere: users@conserver.com X-Mailman-Version: 2.1.12 Precedence: list List-Id: Conserver Users List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Nov 2010 22:19:34 -0000 I don't quite understand Conserver's SSL support. What is the purpose of specifying a certificate for a client, if the server cannot use it to identify a particular user? How do I tell the client what certificate to expect (or what CA to expect to have signed it) for the server? If there's no way to do that, then there is no real protection from using SSL, since it is trivial to conduct a man-in-the-middle attack using any certificate that one happens to have handy... -- Thor Lancelot Simon Coyote Point Systems, Inc. Millerton, NY, USA From bryan@stansell.org Mon Nov 1 23:41:27 2010 Received: from underdog.stansell.org (localhost [127.0.0.1]) by underdog.stansell.org (8.14.4/8.14.4) with ESMTP id oA1NfR7Z013082 for ; Mon, 1 Nov 2010 23:41:27 GMT Received: (from bryan@localhost) by underdog.stansell.org (8.14.4/8.14.4/Submit) id oA1NfRTt013081 for users@conserver.com; Mon, 1 Nov 2010 23:41:27 GMT Date: Mon, 1 Nov 2010 23:41:26 +0000 From: Bryan Stansell To: users@conserver.com Subject: Re: SSL: how to tell client what certificate to expect? Message-ID: <20101101234126.GA12946@underdog.stansell.org> References: <20101101221928.GA3261@coyotepoint.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20101101221928.GA3261@coyotepoint.com> User-Agent: Mutt/1.4.2.3i X-Scanned-By: MIMEDefang 2.67 on 209.182.219.30 X-BeenThere: users@conserver.com X-Mailman-Version: 2.1.12 Precedence: list List-Id: Conserver Users List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Nov 2010 23:41:27 -0000 On Mon, Nov 01, 2010 at 06:19:28PM -0400, Thor Simon wrote: > I don't quite understand Conserver's SSL support. What is the purpose > of specifying a certificate for a client, if the server cannot use it to > identify a particular user? Well, if you provide the certificate, it needs to succeed it's authenticity check. If you don't provide one at all, it falls back to an anonymous cipher (so, it's encrypted, but not authenticated and subject to man-in-the-middle). > How do I tell the client what certificate to expect (or what CA to expect > to have signed it) for the server? If there's no way to do that, then > there is no real protection from using SSL, since it is trivial to conduct > a man-in-the-middle attack using any certificate that one happens to have > handy... There's no hook for specifying a different CA or CA repository. It uses whatever openssl was built with...and if you have the CA in your global repository, it should succeed and be fine. If you don't it should fail with a validation error. So, to "summarize": - No certificates on client or server - anonymous ciphers are used and you get encryption without authentication - Server-side certificate only - client must validate certificate with global openssl CA store - server doesn't require or receive a client certificate, and is fine with that - Client-side certificate only - server must validate certificate with global openssl CA store - client doesn't require or receive a server certificate, and is fine with that - Server-side and client-side certificate - client must validate certificate with global openssl CA store - server must validate certificate with global openssl CA store Adding a hook to require the client certificate is the potentially missing piece - so you can force clients to provide a certificate. Adding a hook to override the CA store would possibly be useful as well. I *think* if you modify conserver/main.c and replace "SSL_VERIFY_PEER" with "SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT" you get the client certificate enforcement. It needs to be tested and a configuration hook provided if so. But perhaps it's enough for you to get the config you'd like right now. Bryan From tls@coyotepoint.com Tue Nov 2 01:25:48 2010 Received: from mail1.panix.com (mail1.panix.com [166.84.1.72]) by underdog.stansell.org (8.14.4/8.14.4) with ESMTP id oA21PhDV015697; Tue, 2 Nov 2010 01:25:48 GMT Received: from mailbackend.panix.com (mailbackend.panix.com [166.84.1.89]) by mail1.panix.com (Postfix) with ESMTP id 936C81F083; Mon, 1 Nov 2010 21:25:42 -0400 (EDT) Received: from maxey.hvg.tjls.com (user-160u3tt.cable.mindspring.com [76.15.15.189]) by mailbackend.panix.com (Postfix) with ESMTP id 8632B32CF7; Mon, 1 Nov 2010 21:25:42 -0400 (EDT) Received: by maxey.hvg.tjls.com (Postfix, from userid 501) id C0C637C6C53; Mon, 1 Nov 2010 21:25:41 -0400 (EDT) Date: Mon, 1 Nov 2010 21:25:41 -0400 From: Thor Simon To: Bryan Stansell Subject: Re: SSL: how to tell client what certificate to expect? Message-ID: <20101102012541.GA3567@coyotepoint.com> References: <20101101221928.GA3261@coyotepoint.com> <20101101234126.GA12946@underdog.stansell.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20101101234126.GA12946@underdog.stansell.org> User-Agent: Mutt/1.4.2.3i X-Spam-Score: 1.242 (*) BAYES_00,FH_DATE_PAST_20XX X-Scanned-By: MIMEDefang 2.67 on 209.182.219.30 Cc: users@conserver.com X-BeenThere: users@conserver.com X-Mailman-Version: 2.1.12 Precedence: list List-Id: Conserver Users List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Nov 2010 01:25:49 -0000 On Mon, Nov 01, 2010 at 11:41:26PM +0000, Bryan Stansell wrote: > > Well, if you provide the certificate, it needs to succeed it's > authenticity check. If you don't provide one at all, it falls back to > an anonymous cipher (so, it's encrypted, but not authenticated and > subject to man-in-the-middle). But anyone can man-in-the-middle the client by pretending to be a server with no certificate, no? Thor From bryan@stansell.org Tue Nov 2 02:41:40 2010 Received: from underdog.stansell.org (localhost [127.0.0.1]) by underdog.stansell.org (8.14.4/8.14.4) with ESMTP id oA22feak017477 for ; Tue, 2 Nov 2010 02:41:40 GMT Received: (from bryan@localhost) by underdog.stansell.org (8.14.4/8.14.4/Submit) id oA22fe8e017476 for users@conserver.com; Tue, 2 Nov 2010 02:41:40 GMT Date: Tue, 2 Nov 2010 02:41:40 +0000 From: Bryan Stansell To: users@conserver.com Subject: Re: SSL: how to tell client what certificate to expect? Message-ID: <20101102024140.GA17286@underdog.stansell.org> References: <20101101221928.GA3261@coyotepoint.com> <20101101234126.GA12946@underdog.stansell.org> <20101102012541.GA3567@coyotepoint.com> <20101101221928.GA3261@coyotepoint.com> <20101101234126.GA12946@underdog.stansell.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20101102012541.GA3567@coyotepoint.com> <20101101234126.GA12946@underdog.stansell.org> User-Agent: Mutt/1.4.2.3i X-Scanned-By: MIMEDefang 2.67 on 209.182.219.30 X-BeenThere: users@conserver.com X-Mailman-Version: 2.1.12 Precedence: list List-Id: Conserver Users List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Nov 2010 02:41:40 -0000 On Mon, Nov 01, 2010 at 09:25:41PM -0400, Thor Simon wrote: > On Mon, Nov 01, 2010 at 11:41:26PM +0000, Bryan Stansell wrote: > > > > Well, if you provide the certificate, it needs to succeed it's > > authenticity check. If you don't provide one at all, it falls back to > > an anonymous cipher (so, it's encrypted, but not authenticated and > > subject to man-in-the-middle). > > But anyone can man-in-the-middle the client by pretending to be a server > with no certificate, no? > > Thor Isn't that what I said? ;-) But, taking that a step further, my summary before was off. In the case where the client has a certificate and the server doesn't, it's really: - Client-side certificate only - server fails SSL handshake - *this just won't work* The reason? We disable anonymous ciphers if we load a certificate. I haven't looked into the exact reasons (dunno the low-level details of the SSL protocol - at least not as much as before) but a test showed it fails the handshake. Now, if the server ignores this issue, perhaps it can fake it out. I assume the client side would fail handshake as well if the server didn't provide a cert (since it won't accept anonymous ciphers). Maybe someone out there knows the protocol. Otherwise, it'll require some testing - but this is my best guess right now. So, I *think* it's safe to say you're talking to the right server as long as you have a certificate loaded and the proper CA repository on the client. I do agree that more hooks to force this would be nice (like, you *must* validate with this CA or whatever). Bryan From wernli@in2p3.fr Tue Nov 2 09:29:18 2010 Received: from ccsrelay01.in2p3.fr (ccsrelay01.in2p3.fr [134.158.66.51]) by underdog.stansell.org (8.14.4/8.14.4) with ESMTP id oA29TAf1020725 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Tue, 2 Nov 2010 09:29:17 GMT Received: from ccswiss.in2p3.fr (ccswissrp.in2p3.fr [134.158.71.221]) (authenticated bits=0) by ccsrelay01.in2p3.fr (8.14.2/8.14.2/IN2P3) with ESMTP id oA29T9CB005155 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Tue, 2 Nov 2010 10:29:09 +0100 Received: by ccswiss.in2p3.fr (Postfix, from userid 3942) id F1D1EC0C7; Tue, 2 Nov 2010 10:29:08 +0100 (CET) Date: Tue, 2 Nov 2010 10:29:08 +0100 From: Fabien Wernli To: users@conserver.com Subject: Re: [PATCH] Power control Message-ID: <20101102092908.GD19794@ccswiss.in2p3.fr> Mail-Followup-To: users@conserver.com References: <20101029134359.GU4570@kennedy.acc.umu.se> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20101029134359.GU4570@kennedy.acc.umu.se> Organization: CC-IN2P3 (CNRS) User-Agent: Mutt/1.5.20 (2009-06-14) X-Spam-Score: 3.369 (***) BAYES_40,FH_DATE_PAST_20XX X-Scanned-By: MIMEDefang 2.67 on 209.182.219.30 X-BeenThere: users@conserver.com X-Mailman-Version: 2.1.12 Precedence: list Reply-To: wernli@in2p3.fr List-Id: Conserver Users List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Nov 2010 09:29:18 -0000 Hi, On Fri, Oct 29, 2010 at 03:44:00PM +0200, Anton Lundin wrote: > About 1-2 years ago I fond a nice looking patch[1] for power control via > conserver on this maillist. Interesting patch. IMHO, it would be more useful to allow for generic commands. Your need may be power control. Someone else's may be e.g. "output event log" etc. From bpeck@redhat.com Tue Nov 2 13:44:35 2010 Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by underdog.stansell.org (8.14.4/8.14.4) with ESMTP id oA2DiUq7027476 for ; Tue, 2 Nov 2010 13:44:35 GMT Received: from int-mx01.intmail.prod.int.phx2.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id oA2DiTV8032266 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Tue, 2 Nov 2010 09:44:29 -0400 Received: from localhost.localdomain (ovpn-112-24.phx2.redhat.com [10.3.112.24]) by int-mx01.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id oA2DiS2q024842 for ; Tue, 2 Nov 2010 09:44:29 -0400 Message-ID: <4CD015BC.2070807@redhat.com> Date: Tue, 02 Nov 2010 09:44:28 -0400 From: Bill Peck User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.12) Gecko/20100907 Fedora/3.0.7-1.fc12 Thunderbird/3.0.7 MIME-Version: 1.0 To: users@conserver.com Subject: Re: [PATCH] Power control References: <20101029134359.GU4570@kennedy.acc.umu.se> <20101102092908.GD19794@ccswiss.in2p3.fr> In-Reply-To: <20101102092908.GD19794@ccswiss.in2p3.fr> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.67 on 209.182.219.30 X-Scanned-By: MIMEDefang 2.67 on 10.5.11.11 X-Spam-Score: 1.242 (*) BAYES_00,FH_DATE_PAST_20XX X-BeenThere: users@conserver.com X-Mailman-Version: 2.1.12 Precedence: list List-Id: Conserver Users List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Nov 2010 13:44:36 -0000 On 11/02/2010 05:29 AM, Fabien Wernli wrote: > Hi, > > On Fri, Oct 29, 2010 at 03:44:00PM +0200, Anton Lundin wrote: > >> About 1-2 years ago I fond a nice looking patch[1] for power control via >> conserver on this maillist. >> > Interesting patch. IMHO, it would be more useful to allow for generic commands. > Your need may be power control. Someone else's may be e.g. "output event > log" etc. > > _______________________________________________ > users mailing list > users@conserver.com > https://www.conserver.com/mailman/listinfo/users > It does allow for generic commands. Maybe the labelling of the options should come from the config file? If you really want this then how about a patch? ;-) From tls@coyotepoint.com Tue Nov 2 15:12:41 2010 Received: from mail1.panix.com (mail1.panix.com [166.84.1.72]) by underdog.stansell.org (8.14.4/8.14.4) with ESMTP id oA2FCYNa000271; Tue, 2 Nov 2010 15:12:40 GMT Received: from mailbackend.panix.com (mailbackend.panix.com [166.84.1.89]) by mail1.panix.com (Postfix) with ESMTP id 892971F084; Tue, 2 Nov 2010 11:12:34 -0400 (EDT) Received: from maxey.hvg.tjls.com (ool-44c3d08a.static.optonline.net [68.195.208.138]) by mailbackend.panix.com (Postfix) with ESMTP id 5BF7732601; Tue, 2 Nov 2010 11:12:34 -0400 (EDT) Received: by maxey.hvg.tjls.com (Postfix, from userid 501) id B799F7C74C7; Tue, 2 Nov 2010 11:12:33 -0400 (EDT) Date: Tue, 2 Nov 2010 11:12:33 -0400 From: Thor Simon To: Bryan Stansell Subject: Re: SSL: how to tell client what certificate to expect? Message-ID: <20101102151233.GA4361@coyotepoint.com> References: <20101101221928.GA3261@coyotepoint.com> <20101101234126.GA12946@underdog.stansell.org> <20101102012541.GA3567@coyotepoint.com> <20101101221928.GA3261@coyotepoint.com> <20101101234126.GA12946@underdog.stansell.org> <20101102024140.GA17286@underdog.stansell.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20101102024140.GA17286@underdog.stansell.org> User-Agent: Mutt/1.4.2.3i X-Spam-Score: 1.242 (*) BAYES_00,FH_DATE_PAST_20XX X-Scanned-By: MIMEDefang 2.67 on 209.182.219.30 Cc: users@conserver.com X-BeenThere: users@conserver.com X-Mailman-Version: 2.1.12 Precedence: list List-Id: Conserver Users List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Nov 2010 15:12:41 -0000 On Tue, Nov 02, 2010 at 02:41:40AM +0000, Bryan Stansell wrote: > On Mon, Nov 01, 2010 at 09:25:41PM -0400, Thor Simon wrote: > > On Mon, Nov 01, 2010 at 11:41:26PM +0000, Bryan Stansell wrote: > > > > > > Well, if you provide the certificate, it needs to succeed it's > > > authenticity check. If you don't provide one at all, it falls back to > > > an anonymous cipher (so, it's encrypted, but not authenticated and > > > subject to man-in-the-middle). > > > > But anyone can man-in-the-middle the client by pretending to be a server > > with no certificate, no? > > Isn't that what I said? ;-) Well, not exactly. I can provide a certificate on the server side and still be subject to a man-in-the-middle attack by an adversary who has no certificate at all! That's not how I read what you wrote before, at least. Thor From glance@acc.umu.se Tue Nov 2 15:44:06 2010 Received: from mail.acc.umu.se (mail.acc.umu.se [130.239.18.156]) by underdog.stansell.org (8.14.4/8.14.4) with ESMTP id oA2FhxlX000827 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for ; Tue, 2 Nov 2010 15:44:06 GMT Received: from localhost (localhost [127.0.0.1]) by amavisd-new (Postfix) with ESMTP id F342C701 for ; Tue, 2 Nov 2010 16:43:58 +0100 (MET) X-Virus-Scanned: amavisd-new at acc.umu.se Received: from kennedy.acc.umu.se (kennedy.acc.umu.se [130.239.18.157]) by mail.acc.umu.se (Postfix) with ESMTP id EF37E700 for ; Tue, 2 Nov 2010 16:43:57 +0100 (MET) Received: by kennedy.acc.umu.se (Postfix, from userid 24471) id DC8AB7C8; Tue, 2 Nov 2010 16:43:57 +0100 (MET) Date: Tue, 2 Nov 2010 16:43:57 +0100 From: Anton Lundin To: users@conserver.com Subject: Re: [PATCH] Power control Message-ID: <20101102154357.GT4570@kennedy.acc.umu.se> References: <20101029134359.GU4570@kennedy.acc.umu.se> <20101102092908.GD19794@ccswiss.in2p3.fr> <4CD015BC.2070807@redhat.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="5RB7GLe/slk02+tJ" Content-Disposition: inline In-Reply-To: <4CD015BC.2070807@redhat.com> User-Agent: Mutt/1.5.18 (2008-05-17) X-Spam-Score: 3.555 (***) BAYES_50,FH_DATE_PAST_20XX X-Scanned-By: MIMEDefang 2.67 on 209.182.219.30 X-BeenThere: users@conserver.com X-Mailman-Version: 2.1.12 Precedence: list List-Id: Conserver Users List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Nov 2010 15:44:06 -0000 --5RB7GLe/slk02+tJ Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 02 November, 2010 - Bill Peck wrote: > On 11/02/2010 05:29 AM, Fabien Wernli wrote: >> Hi, >> >> On Fri, Oct 29, 2010 at 03:44:00PM +0200, Anton Lundin wrote: >> =20 >>> About 1-2 years ago I fond a nice looking patch[1] for power control via >>> conserver on this maillist. >>> =20 >> Interesting patch. IMHO, it would be more useful to allow for generic co= mmands. >> Your need may be power control. Someone else's may be e.g. "output event >> log" etc. >> > > It does allow for generic commands. Maybe the labelling of the options = =20 > should come from the config file? If you really want this then how =20 > about a patch? ;-) Its a trivial rewrite of the patch to call them something else, so if that would get the code upstream I could do it. //Anton --=20 Anton Lundin +46702-161604 --5RB7GLe/slk02+tJ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (SunOS) iEYEARECAAYFAkzQMb0ACgkQtzMWYGkOSXe4ZACdHHugi0Mctu9QMgF1oXUpoaAA s7IAn1QRL2oFU8osoxRmILZLMdZYe+J+ =6tSa -----END PGP SIGNATURE----- --5RB7GLe/slk02+tJ-- From bruce.edge@gmail.com Tue Nov 2 16:04:25 2010 Received: from mail-ey0-f178.google.com (mail-ey0-f178.google.com [209.85.215.178]) by underdog.stansell.org (8.14.4/8.14.4) with ESMTP id oA2G4IFp001913 for ; Tue, 2 Nov 2010 16:04:24 GMT Received: by eyh5 with SMTP id 5so3747456eyh.9 for ; Tue, 02 Nov 2010 09:04:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type; bh=HUY6+AOGj+nsc9/UUcaTidZ8q5Tz6qUErf+Xd2M7PGM=; b=FiK6MkQWffNBZ7MKd18RDoQBIcFcmWoz9NusPiNiQAbWnTUfG3cZJdS89pGotkX2CI VCE2ySTchUVpdqdcB14fSXxOI0St+ywMg4vsFP8hG0Ujl8VZ/plLaEedaKCBf5q4Ck1z qf7qS3ghYYLX13Au+0zr+pExU8JGBxIifUrHo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=D/IXU55UqGDhqkFXSSNaGbmYmejW0LYTVzb9Gp+T5x2/5fmxnLbHc46eFOY0lEgmfS miyRT95vxXoXlEHRGYC5mwIBxASKZh4yp5XRCG1HagOhSU3sUzGbg60V0cgRMf4AbyLp t3RtpMk2MixmGXue8DPOOcya4qLygV+XvS+j0= MIME-Version: 1.0 Received: by 10.14.48.66 with SMTP id u42mr1181763eeb.40.1288713857580; Tue, 02 Nov 2010 09:04:17 -0700 (PDT) Received: by 10.220.187.197 with HTTP; Tue, 2 Nov 2010 09:04:15 -0700 (PDT) In-Reply-To: <20101029134359.GU4570@kennedy.acc.umu.se> References: <20101029134359.GU4570@kennedy.acc.umu.se> Date: Tue, 2 Nov 2010 09:04:15 -0700 Message-ID: Subject: Re: [PATCH] Power control From: Bruce Edge To: Anton Lundin Content-Type: multipart/alternative; boundary=90e6ba539f68b2cc97049414130b X-Spam-Score: 1.243 (*) BAYES_00,FH_DATE_PAST_20XX,HTML_MESSAGE X-Scanned-By: MIMEDefang 2.67 on 209.182.219.30 Cc: users@conserver.com X-BeenThere: users@conserver.com X-Mailman-Version: 2.1.12 Precedence: list List-Id: Conserver Users List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Nov 2010 16:04:25 -0000 --90e6ba539f68b2cc97049414130b Content-Type: text/plain; charset=ISO-8859-1 On Fri, Oct 29, 2010 at 6:44 AM, Anton Lundin wrote: > Hi. > > About 1-2 years ago I fond a nice looking patch[1] for power control via > conserver on this maillist. > > I have done some cleanup work and some fixes to get it more usable, and > its currently working pretty nice. > > I would love to get this functionality included in mainline. > > The patch is available on: > > > http://www.acc.umu.se/~glance/conserver/conserver-8.1.17-power-control.patch > > And some examples on how we are using the power control stuff is > available at http://www.acc.umu.se/~glance/conserver/conserver.cf > > Direct IPMI / iLO support in conserver would be a huge plus. About half of my consoles now are iLO VSPs glued together with expect scripts. iLO3 is a PITA to get working with conserver as it is now. -Bruce > //Anton > > 1. https://www.conserver.com/pipermail/users/2007-June/msg00018.html > > -- > Anton Lundin +46702-161604 > > _______________________________________________ > users mailing list > users@conserver.com > https://www.conserver.com/mailman/listinfo/users > > --90e6ba539f68b2cc97049414130b Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On Fri, Oct 29, 2010 at 6:44 AM, Anton Lundin <glance@acc.umu.se> wrote:
Hi.

About 1-2 years ago I fond a nice looking patch[1] for power control via conserver on this maillist.

I have done some cleanup work and some fixes to get it more usable, and
its currently working pretty nice.

I would love to get this functionality included in mainline.

The patch is available on:

http://www.acc.umu.se/~glance/conserver/c= onserver-8.1.17-power-control.patch

And some examples on how we are using the power control stuff is
available at http://www.acc.umu.se/~glance/conserver/conserver.cf=


Direct IPMI / iLO support in conserver would be a= huge plus. About half of my consoles now are iLO VSPs glued together with = expect scripts.

iLO3 is a PITA to get working with conserver as it i= s now.

-Bruce

=A0
//Anton

1. https://www.conserver.com/pipermail/users/2007-June= /msg00018.html

--
Anton Lundin =A0 =A0+46702-161604

_______________________________________________
users mailing list
users@conserver.com
https://www.conserver.com/mailman/listinfo/users


--90e6ba539f68b2cc97049414130b-- From Andras.Horvath@cern.ch Tue Nov 2 16:39:48 2010 Received: from CERNMX30.cern.ch (cernmx30.cern.ch [137.138.144.177]) by underdog.stansell.org (8.14.4/8.14.4) with ESMTP id oA2GdfIO002556 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL) for ; Tue, 2 Nov 2010 16:39:47 GMT Received: from CERNFE20.cern.ch (137.138.144.155) by cernmxgwlb2.cern.ch (137.138.144.177) with Microsoft SMTP Server (TLS) id 14.1.218.12; Tue, 2 Nov 2010 17:39:40 +0100 Received: from [137.138.33.142] (137.138.33.142) by smtp.cern.ch (137.138.144.172) with Microsoft SMTP Server (TLS) id 14.1.218.12; Tue, 2 Nov 2010 17:39:40 +0100 Message-ID: <4CD03ECB.9010503@cern.ch> Date: Tue, 2 Nov 2010 17:39:39 +0100 From: Andras HORVATH User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.12) Gecko/20100915 Lightning/1.0b1 Thunderbird/3.0.8 MIME-Version: 1.0 To: Subject: Re: [PATCH] Power control References: <20101029134359.GU4570@kennedy.acc.umu.se> In-Reply-To: X-Enigmail-Version: 1.0.1 Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: 7bit X-Originating-IP: [137.138.33.142] Keywords: CERN SpamKiller Note: -50 X-Spam-Score: 1.242 (*) BAYES_00,FH_DATE_PAST_20XX X-Scanned-By: MIMEDefang 2.67 on 209.182.219.30 X-BeenThere: users@conserver.com X-Mailman-Version: 2.1.12 Precedence: list List-Id: Conserver Users List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Nov 2010 16:39:48 -0000 > Direct IPMI / iLO support in conserver would be a huge plus. About half > of my consoles now are iLO VSPs glued together with expect scripts. I'm using IPMI with conserver via a wrapper script that hides the passwords (because users can apparently dump conserver.cf :) and incorporates a few Black Magic Workaround Tricks (tm) to get the IPMI connection working. Here's a patch vs. 8.1.17, including the 'conserver-exec' script and its config file, plus some packaging changes to better fit the RedHat+kerberos5 environment over here. (The same script can also run telnet or, with a little modification, anything else, but we don't have iLO so no support for that at the moment.) https://cern.ch/ahorvath/rpms/conserver/8.1.17/cern.6/conserver-8.1.17-cern.6.diff Since we're also using IPMI for remote power control of nodes it would be cool to see that integrated into conserver. (But we also have some remote-controlled power bars, and other things, so a generic executable hook would be best.) Andras ps. I'm actually writing up what we're doing and how and, if you guys are interested, I can post the link once done. -- Andras HORVATH Systems engineer, CERN CF FPP Tel: +41 22 767 4290 // Fax: +41 22 766 9154 From glance@acc.umu.se Wed Nov 3 16:19:20 2010 Received: from mail.acc.umu.se (mail.acc.umu.se [130.239.18.156]) by underdog.stansell.org (8.14.4/8.14.4) with ESMTP id oA3GJD01025985 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for ; Wed, 3 Nov 2010 16:19:19 GMT Received: from localhost (localhost [127.0.0.1]) by amavisd-new (Postfix) with ESMTP id 312D6358 for ; Wed, 3 Nov 2010 17:19:12 +0100 (MET) X-Virus-Scanned: amavisd-new at acc.umu.se Received: from kennedy.acc.umu.se (kennedy.acc.umu.se [130.239.18.157]) by mail.acc.umu.se (Postfix) with ESMTP id 2EAA2357 for ; Wed, 3 Nov 2010 17:19:11 +0100 (MET) Received: by kennedy.acc.umu.se (Postfix, from userid 24471) id 180947F4; Wed, 3 Nov 2010 17:19:11 +0100 (MET) Date: Wed, 3 Nov 2010 17:19:11 +0100 From: Anton Lundin To: users@conserver.com Subject: [PATCH] Auth with SO_PEERCRED over AF_UNIX Message-ID: <20101103161910.GN4570@kennedy.acc.umu.se> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="5JYpaJoulXrX5g+b" Content-Disposition: inline User-Agent: Mutt/1.5.18 (2008-05-17) X-Spam-Score: 3.555 (***) BAYES_50,FH_DATE_PAST_20XX X-Scanned-By: MIMEDefang 2.67 on 209.182.219.30 X-BeenThere: users@conserver.com X-Mailman-Version: 2.1.12 Precedence: list List-Id: Conserver Users List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Nov 2010 16:19:20 -0000 --5JYpaJoulXrX5g+b Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi! This patch uses SO_PEERCRED to authenticate uses over AF_UNIX when the access is set to allowed. http://www.acc.umu.se/~glance/conserver/conserver-8.1.17-so-peercreed.patch The only questionable thing this patch does it that it allows root to impersonate any other user. This is mainly for us to get a sane usersname in the who output and in the logfiles, so we can see who did what and not just that root did it. The linenumbers in the patch is when applying it after the power-control-patch but its trivial to make it apply without it. //Anton --=20 Anton Lundin +46702-161604 --5JYpaJoulXrX5g+b Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (SunOS) iEYEARECAAYFAkzRi34ACgkQtzMWYGkOSXdEvACg9FR+m5oPjrBANiA3MEdjZlgG WhIAn16teADx+6eYhsZVidAfNKQW7ZyW =DIi+ -----END PGP SIGNATURE----- --5JYpaJoulXrX5g+b-- From bryan@conserver.com Wed Nov 3 21:43:54 2010 Received: from [127.0.0.1] (localhost [127.0.0.1]) (authenticated bits=0) by underdog.stansell.org (8.14.4/8.14.4) with ESMTP id oA3LhoN0004218 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO) for ; Wed, 3 Nov 2010 21:43:54 GMT Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Apple Message framework v1081) Subject: Re: [PATCH] Power control From: Bryan Stansell In-Reply-To: <20101102154357.GT4570@kennedy.acc.umu.se> Date: Wed, 3 Nov 2010 14:43:46 -0700 Message-Id: References: <20101029134359.GU4570@kennedy.acc.umu.se> <20101102092908.GD19794@ccswiss.in2p3.fr> <4CD015BC.2070807@redhat.com> <20101102154357.GT4570@kennedy.acc.umu.se> To: users@conserver.com X-Mailer: Apple Mail (2.1081) X-Scanned-By: MIMEDefang 2.67 on 209.182.219.30 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by underdog.stansell.org id oA3LhoN0004218 X-BeenThere: users@conserver.com X-Mailman-Version: 2.1.12 Precedence: list List-Id: Conserver Users List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Nov 2010 21:43:54 -0000 I've been looking at the patch, and I do want to integrate it in. It's going to take a little work, however. The current implementation can block the conserver process if the exec'ed script fails to behave nicely (and no matter the whole process will stop, waiting for it to complete). That really needs to be adjusted so it won't block...and can still service other consoles intermixed with the one running the command. And an ability to stop it, in case it does go bad. And I'm all for making it more generic as well...perhaps by making the 'k' command programmable - in the sense that you can associate a command with any character ([a-z0-9]) after 'k' and give it a label so you know what the command is supposed to do. So, 'k' for 'k'ommand...or perhaps even '!' to invoke a command? Harder to type, but consistent with vi, for example. Any feedback appreciated... Bryan On Nov 2, 2010, at 8:43 AM, Anton Lundin wrote: > On 02 November, 2010 - Bill Peck wrote: > >> On 11/02/2010 05:29 AM, Fabien Wernli wrote: >>> Hi, >>> >>> On Fri, Oct 29, 2010 at 03:44:00PM +0200, Anton Lundin wrote: >>> >>>> About 1-2 years ago I fond a nice looking patch[1] for power control via >>>> conserver on this maillist. >>>> >>> Interesting patch. IMHO, it would be more useful to allow for generic commands. >>> Your need may be power control. Someone else's may be e.g. "output event >>> log" etc. >>> >> >> It does allow for generic commands. Maybe the labelling of the options >> should come from the config file? If you really want this then how >> about a patch? ;-) > > Its a trivial rewrite of the patch to call them something else, so if > that would get the code upstream I could do it. > > //Anton > > -- > Anton Lundin +46702-161604 > _______________________________________________ > users mailing list > users@conserver.com > https://www.conserver.com/mailman/listinfo/users From cfowler@outpostsentinel.com Wed Nov 3 22:57:35 2010 Received: from support.opsdc.com (support.opsdc.com [65.254.219.9]) by underdog.stansell.org (8.14.4/8.14.4) with ESMTP id oA3MvRuN005963 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 3 Nov 2010 22:57:35 GMT Received: from [192.168.1.115] (buford.k3dc.com [208.65.90.32] (may be forged)) by support.opsdc.com (8.13.8/8.13.8) with ESMTP id oA3MvPgR019766; Wed, 3 Nov 2010 18:57:26 -0400 Subject: Re: [PATCH] Power control From: Chris Fowler To: Bryan Stansell In-Reply-To: References: <20101029134359.GU4570@kennedy.acc.umu.se> <20101102092908.GD19794@ccswiss.in2p3.fr> <4CD015BC.2070807@redhat.com> <20101102154357.GT4570@kennedy.acc.umu.se> Content-Type: text/plain; charset="UTF-8" Date: Wed, 03 Nov 2010 18:57:19 -0400 Message-ID: <1288825039.1988.740.camel@cfowler-desktop> Mime-Version: 1.0 X-Mailer: Evolution 2.28.3 Content-Transfer-Encoding: 7bit X-Spam-Score: 3.369 (***) BAYES_40,FH_DATE_PAST_20XX X-Scanned-By: MIMEDefang 2.67 on 209.182.219.30 Cc: users@conserver.com X-BeenThere: users@conserver.com X-Mailman-Version: 2.1.12 Precedence: list List-Id: Conserver Users List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Nov 2010 22:57:35 -0000 On Wed, 2010-11-03 at 14:43 -0700, Bryan Stansell wrote: > > Any feedback appreciated... I did this back in 7.2.7 for our application. I wrote a program that would mange the power strips. It supported different scripts using the chat library to control them. I then wrote an API that used IPC to instruct this program on what to do. There were two commands. On and Off. Note, reboot is off then on. There were two arguments. Strip # and outlet #. If you wanted to power off the 7th outlet on the first strip you would send off,1,7. Conserver would then use IPC to send the command to the program which then interfaced with the strip. The beauty of this system is that outside of conserver, on the CLI of Linux, we have 3 commands. On, off, and reboot. Those are the only 3 commands supported. If you have a Spectrum, Baytech, or APC you still used those 3 commands. The power management program dealt with the issues of interfacing with the strip. I modified conserver and added 'O' and 'N' options. Chris From wernli@in2p3.fr Thu Nov 4 09:01:36 2010 Received: from ccsrelay01.in2p3.fr (ccsrelay01.in2p3.fr [134.158.66.51]) by underdog.stansell.org (8.14.4/8.14.4) with ESMTP id oA491SB6007398 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Thu, 4 Nov 2010 09:01:35 GMT Received: from ccswiss.in2p3.fr (ccswissrp.in2p3.fr [134.158.71.221]) (authenticated bits=0) by ccsrelay01.in2p3.fr (8.14.2/8.14.2/IN2P3) with ESMTP id oA491RqJ024583 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Thu, 4 Nov 2010 10:01:27 +0100 Received: by ccswiss.in2p3.fr (Postfix, from userid 3942) id 2BAE0C0C8; Thu, 4 Nov 2010 10:01:29 +0100 (CET) Date: Thu, 4 Nov 2010 10:01:29 +0100 From: Fabien Wernli To: users@conserver.com Subject: Re: Re: [PATCH] Power control Message-ID: <20101104090128.GA8019@ccswiss.in2p3.fr> Mail-Followup-To: users@conserver.com References: <20101029134359.GU4570@kennedy.acc.umu.se> <20101102092908.GD19794@ccswiss.in2p3.fr> <4CD015BC.2070807@redhat.com> <20101102154357.GT4570@kennedy.acc.umu.se> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Organization: CC-IN2P3 (CNRS) User-Agent: Mutt/1.5.20 (2009-06-14) X-Spam-Score: 1.242 (*) BAYES_00,FH_DATE_PAST_20XX X-Scanned-By: MIMEDefang 2.67 on 209.182.219.30 X-BeenThere: users@conserver.com X-Mailman-Version: 2.1.12 Precedence: list Reply-To: wernli@in2p3.fr List-Id: Conserver Users List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Nov 2010 09:01:36 -0000 On Wed, Nov 03, 2010 at 02:43:46PM -0700, Bryan Stansell wrote: > And I'm all for making it more generic as well...perhaps by making the 'k' command programmable - in the sense that you can associate a command with any character ([a-z0-9]) after 'k' and give it a label so you know what the command is supposed to do. > > So, 'k' for 'k'ommand...or perhaps even '!' to invoke a command? Harder to type, but consistent with vi, for example. Great. I vote for '!'. Also, maybe it would be interesting to have a distinction between commands that output something or not on std(err|out). From bryan@conserver.com Thu Nov 4 15:33:28 2010 Received: from [10.28.43.179] (173-160-171-33-Washington.hfc.comcastbusiness.net [173.160.171.33] (may be forged)) (authenticated bits=0) by underdog.stansell.org (8.14.4/8.14.4) with ESMTP id oA4FXS1l017496 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO) for ; Thu, 4 Nov 2010 15:33:28 GMT Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Apple Message framework v1081) Subject: Re: [PATCH] Power control From: Bryan Stansell In-Reply-To: <20101104090128.GA8019@ccswiss.in2p3.fr> Date: Thu, 4 Nov 2010 08:33:27 -0700 Message-Id: <8A3999E8-4114-4D17-9BEA-E42CE7C2B9D2@conserver.com> References: <20101029134359.GU4570@kennedy.acc.umu.se> <20101102092908.GD19794@ccswiss.in2p3.fr> <4CD015BC.2070807@redhat.com> <20101102154357.GT4570@kennedy.acc.umu.se> <20101104090128.GA8019@ccswiss.in2p3.fr> To: users@conserver.com X-Mailer: Apple Mail (2.1081) X-Spam-Score: 1.342 (*) BAYES_00,FH_DATE_PAST_20XX,RDNS_NONE X-Scanned-By: MIMEDefang 2.67 on 209.182.219.30 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by underdog.stansell.org id oA4FXS1l017496 X-BeenThere: users@conserver.com X-Mailman-Version: 2.1.12 Precedence: list List-Id: Conserver Users List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Nov 2010 15:33:28 -0000 There is certainly going to be a need to either redirect stdin/stdout of the command to the console or not (some "interactive" flag). If not, stdin would probably be /dev/null and stdout could be anyone connected to the console (so everyone sees the output). Maybe it should just be the console or nothing at all. Something to think about... Bryan On Nov 4, 2010, at 2:01 AM, Fabien Wernli wrote: > On Wed, Nov 03, 2010 at 02:43:46PM -0700, Bryan Stansell wrote: >> And I'm all for making it more generic as well...perhaps by making the 'k' command programmable - in the sense that you can associate a command with any character ([a-z0-9]) after 'k' and give it a label so you know what the command is supposed to do. >> >> So, 'k' for 'k'ommand...or perhaps even '!' to invoke a command? Harder to type, but consistent with vi, for example. > > Great. I vote for '!'. > Also, maybe it would be interesting to have a distinction between commands > that output something or not on std(err|out). > > _______________________________________________ > users mailing list > users@conserver.com > https://www.conserver.com/mailman/listinfo/users From bryan@stansell.org Thu Nov 11 23:02:31 2010 Received: from underdog.stansell.org (localhost [127.0.0.1]) by underdog.stansell.org (8.14.4/8.14.4) with ESMTP id oABN2V7f025253; Thu, 11 Nov 2010 23:02:31 GMT Received: (from bryan@localhost) by underdog.stansell.org (8.14.4/8.14.4/Submit) id oABN2VJJ025252; Thu, 11 Nov 2010 23:02:31 GMT Date: Thu, 11 Nov 2010 23:02:31 +0000 From: Bryan Stansell To: users@conserver.com, announce@conserver.com Subject: conserver-8.1.18 is available Message-ID: <20101111230227.GA24381@underdog.stansell.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.2.3i X-Scanned-By: MIMEDefang 2.67 on 209.182.219.30 X-BeenThere: users@conserver.com X-Mailman-Version: 2.1.12 Precedence: list List-Id: Conserver Users List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Nov 2010 23:02:31 -0000 In honor of LISA 2010, and an attempt to get me focused on the improvements folks have feed me, I've packaged up 8.1.18. It's not a huge amount of change since 8.1.17, but it gets it out before I start adding more SSL options, integrating command execution (for power on/off or whatever), etc. version 8.1.18 (Nov 11, 2010): - install man pages read-only and improved the contributed redhat init script - patches by Eric Biederman - spec file improvements in contrib/redhat-rpm - patch by Jodok Ole Muellers - GSS-API patch for client code - patch by Andras Horvath Bryan Stansell