Re: Son of Authentication fun

On Mon, Mar 05, 2001 at 08:53:07AM -0600, Scott Matott wrote:
> Speaking more generally about the passwd file, can you set password on a per 
> console connection.

Nope...not in this version of conserver, anyway.  Other versions can
set a password on the console itself, but that functionality was
stripped out of this thread of code a LONG time ago in favor of the
conserver.passwd file (which still isn't fully taken advantage of).

> For example, we have some general purpose machine whose console we want all 
> sysadmins to have access to.  Then we have special security hosts, (things 
> like our powerbroker server, network routers and firewalls) which we only want 
> the security team to able to access.

For each user, instead of 'any' after the password, put the console
names you'd like them to have access to.  Ugly though...continue with
my next comment.

> 	Do we need to setup a 2nd conserver host for this, or can we put passwords on 
> just those console connections?

Unfortunately, this is the extent of control: each user can have a list
of consoles they can attach to or the special token 'any' which means
(obviously) any console.  There's no syntax for "not" or "except" or
anything like that, so if they can't attach to all, you have to list
every console they can get at explicitly (and there's a limitation in
line length, so don't make it too long without adjusting the 'buf'
variable in CheckPasswd() (conserver/group.c).  Yeah, that needs to be
fixed.

The idea of a second console server is an interesting one.  It should
get around the limitations of the code for your setup: restricted
consoles are on that host with a conserver.passwd file that lists those
limitations and then the non-restricted are on a second server with
folks having 'any' in the password file.  Should work!

I just added this to my wishlist for conserver.  If anyone works up
patches, let me know!  Maybe I can get a few minutes of coding in
before sleeping tonight...yeah, right.

Bryan