Hi!
We have Cyclades ACS installed, accessible via SSH, and I'd like to
centralize the connection point to them via Conserver instead of the
current solution (a shell script doing roughly the same as Conserver but
with many limits).
The Cyclades are setup with username/password access on their own.
As I haven't used Conserver for a long time, I'm somewhat behind with the
features offered.
I see currently two possible solutions for me :
1. Keep the Cyclades as they are (with their own user validation) and use
Conserver just as gateway. For this, I'd prefer to have it configured so
Conserver itself doesn't authorize users but just pass them on to the
right console (where they're then authorized by the Cyclades).
Can this be done without any security issues with Conserver ?
2. Change the Cyclades configuration so they don't validate, or validate
to a specific user known by Conserver, thus Conserver maintain connections
established to all servers connected to the Cyclades and take care of all
authorization.
I suppose I can limit the access at the same time on the Cyclades with TCP
wrappers, so only the Conserver server(s) gets access.
The benefit with this is that I get the user administration away from the
Cyclades and into the UNIX servers where password are sync'ed, thus the
admins don't need to maintain their passwords on the Cyclades but can use
the standard company one as used in Windows logon.
For solution 1, apart from setting up Conserver so it doesn't validate all
users but trust (based upon where they come from/whatever), I have one
small problem :
The Cyclades validate per username, and I'd like that the username people
use for console (console -l username) is passed to the Cyclades, however I
don't know exactly how to do this on the conserver.cf.
What the Cyclades expect is a resulting SSH command line like this :
ssh -l username:portnumber hostname-of-cyclades
The portnumber & hostname of the cyclades is easy, but I don't know how to
pass the username. Anyone ?
Below is an example of what I have currently.
Apart from all this, I'd be happy to get some suggestion regarding best
practises on Conserver+Cyclades.
We have 16 of them, all 48 port and spread around the world in different
datacenters.
default bboxb05 {
type exec;
host fubar-cyclade;
exec /usr/bin/ssh -l username:P H;
execsubst H=hs,P=Pd;
portbase 7000; portinc 1;
}
default ilo-rc {
type exec;
exec /usr/bin/ssh -l foo H;
execsubst H=hs,P=Pd;
}
console fubar1 { include bboxb05; port 41; }
console fubar2 { include bboxb05; port 26; }
console fubar1-ilo { include ilo-rc; host fubar1rb; }
_______________________________________________
users mailing list
users@conserver.com
https://www.conserver.com/mailman/listinfo/users
We have Cyclades ACS installed, accessible via SSH, and I'd like to
centralize the connection point to them via Conserver instead of the
current solution (a shell script doing roughly the same as Conserver but
with many limits).
The Cyclades are setup with username/password access on their own.
As I haven't used Conserver for a long time, I'm somewhat behind with the
features offered.
I see currently two possible solutions for me :
1. Keep the Cyclades as they are (with their own user validation) and use
Conserver just as gateway. For this, I'd prefer to have it configured so
Conserver itself doesn't authorize users but just pass them on to the
right console (where they're then authorized by the Cyclades).
Can this be done without any security issues with Conserver ?
2. Change the Cyclades configuration so they don't validate, or validate
to a specific user known by Conserver, thus Conserver maintain connections
established to all servers connected to the Cyclades and take care of all
authorization.
I suppose I can limit the access at the same time on the Cyclades with TCP
wrappers, so only the Conserver server(s) gets access.
The benefit with this is that I get the user administration away from the
Cyclades and into the UNIX servers where password are sync'ed, thus the
admins don't need to maintain their passwords on the Cyclades but can use
the standard company one as used in Windows logon.
For solution 1, apart from setting up Conserver so it doesn't validate all
users but trust (based upon where they come from/whatever), I have one
small problem :
The Cyclades validate per username, and I'd like that the username people
use for console (console -l username) is passed to the Cyclades, however I
don't know exactly how to do this on the conserver.cf.
What the Cyclades expect is a resulting SSH command line like this :
ssh -l username:portnumber hostname-of-cyclades
The portnumber & hostname of the cyclades is easy, but I don't know how to
pass the username. Anyone ?
Below is an example of what I have currently.
Apart from all this, I'd be happy to get some suggestion regarding best
practises on Conserver+Cyclades.
We have 16 of them, all 48 port and spread around the world in different
datacenters.
default bboxb05 {
type exec;
host fubar-cyclade;
exec /usr/bin/ssh -l username:P H;
execsubst H=hs,P=Pd;
portbase 7000; portinc 1;
}
default ilo-rc {
type exec;
exec /usr/bin/ssh -l foo H;
execsubst H=hs,P=Pd;
}
console fubar1 { include bboxb05; port 41; }
console fubar2 { include bboxb05; port 26; }
console fubar1-ilo { include ilo-rc; host fubar1rb; }
_______________________________________________
users mailing list
users@conserver.com
https://www.conserver.com/mailman/listinfo/users