[Date Prev] [Date Index] [Date Next] [Thread Prev] [Thread Index] [Thread Next]
Ryan Kirkpatrick linux@rkirkpat.net
Wed, 26 Jul 2006 06:15:49 -0700 (PDT)
On Tue, 25 Jul 2006, Bryan Stansell wrote: > anyone out there good at thinking outside the box? ;-) While I don't need one-time passwords, I did want secure access to my conserver without having to enter passwords. My solution was to restrict accesst to conserver to only the local machine running conserver (i.e. only loopback allowed to connected), but trust usernames and not require passwords. Then to access the machine I use per-user SSH accounts, with public keys on the conserver machine, and private keys plus ssh-agent on the end-user machine. The conserver config excerpt is something like this: ------------------------------------------------------------------------- # Establish access control. access * { # Only allow connections from this machine. trusted localhost,console; } ------------------------------------------------------------------------- To avoid the annoyance factor of having to 'ssh' and then 'console', I wrote the following shell script for the end-user machines, named /usr/local/bin/console: -------------------------------------------------------------------------- #!/bin/bash # Open a psuedo terminal with SSH on the console server and run console # there. ssh -t farstar console $* -------------------------------------------------------------------------- Where 'farstar' is the hostname of the conserver machine. This passes all parameters to console on that machine, and pretty much makes the SSH connection transparent. Only if you are trying to do some advanced piping/scripting/local file access with the console client does it break down. As an added bonus, the console session, as it passes over the network, is encrypted like any SSH shell session. And using PAM, any desired authentication method could be used in place of SSH's private/public keys. For multiple system conservers, you can configure the other machines to only accept console connections from the master server that the end-user will SSH into. Though be aware that the console session from the master to the other server is not encrypted (unless conserver SSL is enabled). Hopefully this will be of use or at least provide ideas. TTYL. --------------------------------------------------------------------------- | "For to me to live is Christ, and to die is gain." | | --- Philippians 1:21 (KJV) | --------------------------------------------------------------------------- | Ryan Kirkpatrick | Boulder, Colorado | http://www.rkirkpat.net/ | ---------------------------------------------------------------------------