[Date Prev] [Date Index] [Date Next] [Thread Prev] [Thread Index] [Thread Next]
Michael Redinger Michael.Redinger@uibk.ac.at
Sun, 17 Jun 2007 04:00:02 -0700 (PDT)
- configure the Cyclades server to accept hostbased authentication from your conserver host. - you might want to configure the Cyclades firewall to restrict ssh logins to your conserver server. - do not pass the user from conserver to the cyclades server. Instead, always use one user (and hostbased authentication). - configure conserver to use PAM. - configure conserver to connect to the appropriate ssh port for each system. (We do not use names for the ports because we found it is a better idea to keep the console servers as dumb as possible and do all the configuration on the conserver system. If you have many console servers, this is the best way to keep a clean configuration.) Eg.:
default casssh {
type exec;
exec /usr/local/bin/cssh P H;
execsubst P=pd,H=hs;
}console myserver {
port 1;
include casssh;
host mycycladesserver;
}/usr/local/bin/cssh:
#!/bin/sh
PORT=${1}
TERMSRV=${2}
ssh -2 -q -x -t root:ttyS${PORT}@${TERMSRV}
Greetings, Michael
Hi!
We have Cyclades ACS installed, accessible via SSH, and I'd like to centralize the connection point to them via Conserver instead of the current solution (a shell script doing roughly the same as Conserver but with many limits).
The Cyclades are setup with username/password access on their own.
As I haven't used Conserver for a long time, I'm somewhat behind with the features offered.
I see currently two possible solutions for me :
1. Keep the Cyclades as they are (with their own user validation) and use Conserver just as gateway. For this, I'd prefer to have it configured so Conserver itself doesn't authorize users but just pass them on to the right console (where they're then authorized by the Cyclades). Can this be done without any security issues with Conserver ?
2. Change the Cyclades configuration so they don't validate, or validate to a specific user known by Conserver, thus Conserver maintain connections established to all servers connected to the Cyclades and take care of all authorization. I suppose I can limit the access at the same time on the Cyclades with TCP wrappers, so only the Conserver server(s) gets access. The benefit with this is that I get the user administration away from the Cyclades and into the UNIX servers where password are sync'ed, thus the admins don't need to maintain their passwords on the Cyclades but can use the standard company one as used in Windows logon.
For solution 1, apart from setting up Conserver so it doesn't validate all users but trust (based upon where they come from/whatever), I have one small problem :
The Cyclades validate per username, and I'd like that the username people use for console (console -l username) is passed to the Cyclades, however I don't know exactly how to do this on the conserver.cf. What the Cyclades expect is a resulting SSH command line like this :
ssh -l username:portnumber hostname-of-cyclades
The portnumber & hostname of the cyclades is easy, but I don't know how to pass the username. Anyone ? Below is an example of what I have currently.
Apart from all this, I'd be happy to get some suggestion regarding best practises on Conserver+Cyclades. We have 16 of them, all 48 port and spread around the world in different datacenters.
default bboxb05 { type exec; host fubar-cyclade; exec /usr/bin/ssh -l username:P H; execsubst H=hs,P=Pd; portbase 7000; portinc 1; }
default ilo-rc { type exec; exec /usr/bin/ssh -l foo H; execsubst H=hs,P=Pd; }
console fubar1 { include bboxb05; port 41; } console fubar2 { include bboxb05; port 26; } console fubar1-ilo { include ilo-rc; host fubar1rb; }
_______________________________________________ users mailing list users@conserver.com https://www.conserver.com/mailman/listinfo/users
-- Michael Redinger Zentraler Informatikdienst (Central IT Services) Universitaet Innsbruck Technikerstrasse 13 Tel.: ++43 512 507 2335 6020 Innsbruck Fax.: ++43 512 507 949 02335 Austria Mail: Michael.Redinger@uibk.ac.at BB98 D2FE 0F2C 2658 3780 3CB1 0FD7 A9D9 65C2 C11D http://homepage.uibk.ac.at/~c102mr/mred-pubkey.asc