Mailing List Archive: initial console connection requires authentication

initial console connection requires authentication

Jan 17, 2008, 2:41 PM

Post #1 of 7 (5766 views)

I have been struggling for several days trying to get a new instance of
conserver to talk to a relatively new Opengear CM4148 terminal server.
I have an older CM4148 (OpenGear/CM41xx Firmware Version 2.1.0u1) which
is working just fine with this conserver host. But the newer unit (FW
version 2.3.1u3) requires a login, presumably to authenticate to the
Opengear device, before I can open the port to log console output and
before I can login at the prompt on the serial console port.

I have read through the Opengear manual and do not see a way to set it
up to allow access without some form of authentication. I did find a
thread in this conserver users mailing list archive. It was dated 25
Sep 2007 under the title "console connection prompts for root password"
That question was submitted by Lisa Doherty with an answer from David
Harris. I believe that thread was talking about authenticating to the
conserver software and not to the Opengear device.

Like Lisa was at that time, I am new to this list. I have been using
older versions of conserver for over 10 years. This is the first
instance of conserver version 8 that I am setting up. And I set up that
older Opengear device over 18 months ago. I have spent way too long
trying to get over this problem on my own. I have an e-mail into
support@opengear.com. I would appreciate any help that list members
could offer.

Ken Schumacher

--
===========================================================================
Ken Schumacher <kschu@fnal.gov> (o) 630.840.4579 (f) 630.840.6345
Fermilab/Computing Div/SSA Group Loc: FCC-238 (pgr) 630.905.1149

Re: initial console connection requires authentication [ In reply to ]

Lisa.Doherty at nau

Jan 18, 2008, 6:21 AM

Post #2 of 7 (5553 views)

Ken,

I solved my problem by adding the ssh public key of the user running the
conserver process on my conserver host to the Opengear terminal server.
As an example, if I have a host named foo, and foo has conserver running
as user bar, then I add bar's id_dsa.pub to the Opengear terminal server
/etc/config/users/conserver/.ssh/authorized_keys file.

I believe I had to restart the conserver process on my conserver host
(in this example, foo). Once I did that the prompt disappeared.
Hopefully this helps you.

Lisa Doherty

Ken Schumacher wrote:
> I have been struggling for several days trying to get a new instance
> of conserver to talk to a relatively new Opengear CM4148 terminal
> server. I have an older CM4148 (OpenGear/CM41xx Firmware Version
> 2.1.0u1) which is working just fine with this conserver host. But the
> newer unit (FW version 2.3.1u3) requires a login, presumably to
> authenticate to the Opengear device, before I can open the port to log
> console output and before I can login at the prompt on the serial
> console port.
>
> I have read through the Opengear manual and do not see a way to set it
> up to allow access without some form of authentication. I did find a
> thread in this conserver users mailing list archive. It was dated 25
> Sep 2007 under the title "console connection prompts for root
> password" That question was submitted by Lisa Doherty with an answer
> from David Harris. I believe that thread was talking about
> authenticating to the conserver software and not to the Opengear device.
>
> Like Lisa was at that time, I am new to this list. I have been using
> older versions of conserver for over 10 years. This is the first
> instance of conserver version 8 that I am setting up. And I set up
> that older Opengear device over 18 months ago. I have spent way too
> long trying to get over this problem on my own. I have an e-mail into
> support@opengear.com. I would appreciate any help that list members
> could offer.
>
> Ken Schumacher
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> users mailing list
> users@conserver.com
> https://www.conserver.com/mailman/listinfo/users
>
_______________________________________________
users mailing list
users@conserver.com
https://www.conserver.com/mailman/listinfo/users

Re: initial console connection requires authentication [ In reply to ]

peter.hunt at opengear

Jan 18, 2008, 9:23 AM

Post #3 of 7 (5556 views)

Hi Lisa and Ken,

Sorry for sleeping at the wheel, holidays are taking there toll.

Lisa's solution is the recommended way of avoiding interactive logins
and there are detailed instructions in the User Manual:
ftp://ftp.opengear.com/manual/IMG-IM-CM4000%20User%20Manual3.1.pdf

Section 15.6, essentially its identical to Public Key setup on vanilla
Linux however some of the directories and files live in different places
on our embedded FS.

The dirty work-around is to not use Telnet but RFC-2217 which is a
super-set of the Telnet protocol usually meant for controlling serial
port settings over a network. This will mean your TCP port will change
(by default) from 2000 + the serial port to 5000 + the serial port but
you will not need to authenticate. (It is highly recommended if you go
down this path to restrict access to those TCP ports with the iptables
(You can use the Trusted Network configuration to achieve this). The
draw back of RFC2217 usage is that your sessions will be restricted to 1
user per port concurrently.

Hope that helps and apologies for the delay, Zonker alerted me.

Regards,
Peter

Lisa Doherty wrote:
> Ken,
>
> I solved my problem by adding the ssh public key of the user running the
> conserver process on my conserver host to the Opengear terminal server.
> As an example, if I have a host named foo, and foo has conserver running
> as user bar, then I add bar's id_dsa.pub to the Opengear terminal server
> /etc/config/users/conserver/.ssh/authorized_keys file.
>
> I believe I had to restart the conserver process on my conserver host
> (in this example, foo). Once I did that the prompt disappeared.
> Hopefully this helps you.
>
> Lisa Doherty
>
> Ken Schumacher wrote:
>
>> I have been struggling for several days trying to get a new instance
>> of conserver to talk to a relatively new Opengear CM4148 terminal
>> server. I have an older CM4148 (OpenGear/CM41xx Firmware Version
>> 2.1.0u1) which is working just fine with this conserver host. But the
>> newer unit (FW version 2.3.1u3) requires a login, presumably to
>> authenticate to the Opengear device, before I can open the port to log
>> console output and before I can login at the prompt on the serial
>> console port.
>>
>> I have read through the Opengear manual and do not see a way to set it
>> up to allow access without some form of authentication. I did find a
>> thread in this conserver users mailing list archive. It was dated 25
>> Sep 2007 under the title "console connection prompts for root
>> password" That question was submitted by Lisa Doherty with an answer
>> from David Harris. I believe that thread was talking about
>> authenticating to the conserver software and not to the Opengear device.
>>
>> Like Lisa was at that time, I am new to this list. I have been using
>> older versions of conserver for over 10 years. This is the first
>> instance of conserver version 8 that I am setting up. And I set up
>> that older Opengear device over 18 months ago. I have spent way too
>> long trying to get over this problem on my own. I have an e-mail into
>> support@opengear.com. I would appreciate any help that list members
>> could offer.
>>
>> Ken Schumacher
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> users mailing list
>> users@conserver.com
>> https://www.conserver.com/mailman/listinfo/users
>>
>>
> _______________________________________________
> users mailing list
> users@conserver.com
> https://www.conserver.com/mailman/listinfo/users
>
>
>

--
Peter Hunt
Opengear Inc - Secure Server Management - www.opengear.com
Phone: 801 282 1387 ext 2229

_______________________________________________
users mailing list
users@conserver.com
https://www.conserver.com/mailman/listinfo/users

Re: initial console connection requires authentication [ In reply to ]

Jan 18, 2008, 11:51 AM

Post #4 of 7 (5569 views)

Peter,

I will go back to the manual and look at this again. But I will tell
you up front that I have been trying to configure conserver to use the
RFC-2217 protocol and I am getting the login prompts. I have assumed
this request to authenticate was coming from the Opengear.

I have a private LAN segment which is used for all the console
management and power management functions. Fermilab has quite strict
requirements as to the types of security that must be in place on any
network login. Basically any network connection which would allow
someone to get to a shell or command-line prompt must be kerberized. So
the Opengear is kept on the private segment. And I fully trust that
anyone who can log into the node running a conserver daemon is properly
authenticated. So any host that can communicate with the Opengear is a
trusted host.

I got e-mail replies from Zonker and Lisa (Thank you both!). I had
hoped that I could configure the Opengear without having to define a
list of trusted users or adding individual SSH keys. I will go back and
look at section 15.6 again and see what I can do with that.

I'll post a summary/update when I get this all worked out.

Thanks for the help.
Ken Schumacher

Peter Hunt wrote:
> Hi Lisa and Ken,
>
> Sorry for sleeping at the wheel, holidays are taking there toll.
>
> Lisa's solution is the recommended way of avoiding interactive logins
> and there are detailed instructions in the User Manual:
> ftp://ftp.opengear.com/manual/IMG-IM-CM4000%20User%20Manual3.1.pdf
>
> Section 15.6, essentially its identical to Public Key setup on vanilla
> Linux however some of the directories and files live in different places
> on our embedded FS.
>
> The dirty work-around is to not use Telnet but RFC-2217 which is a
> super-set of the Telnet protocol usually meant for controlling serial
> port settings over a network. This will mean your TCP port will change
> (by default) from 2000 + the serial port to 5000 + the serial port but
> you will not need to authenticate. (It is highly recommended if you go
> down this path to restrict access to those TCP ports with the iptables
> (You can use the Trusted Network configuration to achieve this). The
> draw back of RFC2217 usage is that your sessions will be restricted to 1
> user per port concurrently.
>
> Hope that helps and apologies for the delay, Zonker alerted me.
>
> Regards,
> Peter
>
> Lisa Doherty wrote:
>> Ken,
>>
>> I solved my problem by adding the ssh public key of the user running
>> the conserver process on my conserver host to the Opengear terminal
>> server. As an example, if I have a host named foo, and foo has
>> conserver running as user bar, then I add bar's id_dsa.pub to the
>> Opengear terminal server
>> /etc/config/users/conserver/.ssh/authorized_keys file.
>>
>> I believe I had to restart the conserver process on my conserver host
>> (in this example, foo). Once I did that the prompt disappeared.
>> Hopefully this helps you.
>>
>> Lisa Doherty
>>
>> Ken Schumacher wrote:
>>
>>> I have been struggling for several days trying to get a new instance
>>> of conserver to talk to a relatively new Opengear CM4148 terminal
>>> server. I have an older CM4148 (OpenGear/CM41xx Firmware Version
>>> 2.1.0u1) which is working just fine with this conserver host. But
>>> the newer unit (FW version 2.3.1u3) requires a login, presumably to
>>> authenticate to the Opengear device, before I can open the port to
>>> log console output and before I can login at the prompt on the serial
>>> console port.
>>>
>>> I have read through the Opengear manual and do not see a way to set
>>> it up to allow access without some form of authentication. I did
>>> find a thread in this conserver users mailing list archive. It was
>>> dated 25 Sep 2007 under the title "console connection prompts for
>>> root password" That question was submitted by Lisa Doherty with an
>>> answer from David Harris. I believe that thread was talking about
>>> authenticating to the conserver software and not to the Opengear device.
>>>
>>> Like Lisa was at that time, I am new to this list. I have been using
>>> older versions of conserver for over 10 years. This is the first
>>> instance of conserver version 8 that I am setting up. And I set up
>>> that older Opengear device over 18 months ago. I have spent way too
>>> long trying to get over this problem on my own. I have an e-mail
>>> into support@opengear.com. I would appreciate any help that list
>>> members could offer.
>>>
>>> Ken Schumacher
>>>
>>> ------------------------------------------------------------------------
>>>
>>> _______________________________________________
>>> users mailing list
>>> users@conserver.com
>>> https://www.conserver.com/mailman/listinfo/users
>>>
>> _______________________________________________
>> users mailing list
>> users@conserver.com
>> https://www.conserver.com/mailman/listinfo/users
>>
>>
>>
>
>

Re: initial console connection requires authentication [ In reply to ]

bryan at conserver

Jan 18, 2008, 12:09 PM

Post #5 of 7 (5572 views)

On Fri, Jan 18, 2008 at 01:51:50PM -0600, Ken Schumacher wrote:
> I will go back to the manual and look at this again. But I will tell
> you up front that I have been trying to configure conserver to use the
> RFC-2217 protocol and I am getting the login prompts. I have assumed
> this request to authenticate was coming from the Opengear.

i just took a quick look at pages 45 through 49 of that CM4000 user
manual. i'd suggest setting the access type to "Raw TCP" and having
conserver connect on ports 4000+n. the rfc 2217 stuff doesn't seem
right for conserver purposes (conserver certainly doesn't talk it so
there might be some weirdness there). the implication (based on the
manual) is that there won't be a login prompt using raw tcp.

there's my 2 cents. ;-)

Bryan
_______________________________________________
users mailing list
users@conserver.com
https://www.conserver.com/mailman/listinfo/users

Re: initial console connection requires authentication [ In reply to ]

peter.hunt at opengear

Jan 22, 2008, 3:12 PM

Post #6 of 7 (5553 views)

Bryan Stansell wrote:
> On Fri, Jan 18, 2008 at 01:51:50PM -0600, Ken Schumacher wrote:
>
>> I will go back to the manual and look at this again. But I will tell
>> you up front that I have been trying to configure conserver to use the
>> RFC-2217 protocol and I am getting the login prompts. I have assumed
>> this request to authenticate was coming from the Opengear.
>>
>
> i just took a quick look at pages 45 through 49 of that CM4000 user
> manual. i'd suggest setting the access type to "Raw TCP" and having
> conserver connect on ports 4000+n. the rfc 2217 stuff doesn't seem
> right for conserver purposes (conserver certainly doesn't talk it so
> there might be some weirdness there). the implication (based on the
> manual) is that there won't be a login prompt using raw tcp.
>
> there's my 2 cents.
>
The RFC-2217 protocol does not authenticate and it will be Telnet
compatible where as you may experience TTY corruption using raw TCP.
Sredird which we use to serve RFC-2217 should handle all the Telnet
escape sequences more appropriately.

I just verified that the latest firmware 2.3.1u3 is behaving correctly
when using RFC-2217 on port 1 with my Linux telnet client:

<snip>
# telnet 192.168.0.1 5001

Trying 192.168.135.50...
Connected to 192.168.135.50.
Escape character is '^]'.
[ OK ]
* Starting kernel event manager... [ OK ]
* Loading hardware drivers... !
[ OK ]
* Loading kernel modules... [ OK ]
* Activating swap...
</snip>

connected to an Ubuntu Gutsy console.

If you could send through your Support Report or at least the
configuration section to support@opengear.com (perhaps take this offline
while we sort out the problem) I can try and work out if there is a
configuration issue.

Regards,
Peter

--
Peter Hunt
Opengear Inc - Secure Server Management - www.opengear.com
Phone: 801 282 1387 ext 2229

_______________________________________________
users mailing list
users@conserver.com
https://www.conserver.com/mailman/listinfo/users

Re: initial console connection requires authentication [ In reply to ]

bryan at conserver

Jan 22, 2008, 3:52 PM

Post #7 of 7 (5549 views)

On Tue, Jan 22, 2008 at 04:12:04PM -0700, Peter Hunt wrote:
> The RFC-2217 protocol does not authenticate and it will be Telnet
> compatible where as you may experience TTY corruption using raw TCP.

that's good to know. i took a peek at the rfc and conserver should
interact with it just fine (it should deny any knowledge of those
extentions). and since you still get core telnet functionality, things
should be happier than the raw tcp stuff.

anyway, just wanted to agree with peter's message. :-)

Bryan
_______________________________________________
users mailing list
users@conserver.com
https://www.conserver.com/mailman/listinfo/users