Date: Sat, 28 Jun 1997 01:32:54 -0700 (PDT) From: Simon Shapiro <Shimon@i-Connect.Net> To: Tom Samplonius <tom@sdf.com> Cc: Bruce Evans <bde@zeta.org.au>, mburgett@cmnsens.zoom.com, freebsd-hackers@FreeBSD.ORG Subject: Re: com console, and h/w flow control... Message-ID: <XFMail.970628013254.Shimon@i-Connect.Net> In-Reply-To: <Pine.BSF.3.95q.970628004030.8640B-100000@misery.sdf.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Tom Samplonius; On 28-Jun-97 you wrote: > > On Sat, 28 Jun 1997, Simon Shapiro wrote: > > > One logs in on the serial console from a modem (or terminal server), > > becomes root and the serial connection drops (noisy modem line, etc.). > > > > At this point ANYONE who dials-in is ROOT! > > This is not really what the COM console was designed for anyhow. Don't > use a modem on it, ever. > > Not only could modem users grab root, as above, if they happen to be on > when the system is booting, they could simply boot single user. This is easily fixed by having DTR stay low until the kernel initializeds the driver (which is probably what happens now). A properly setup modem (or terminal server) will not connect until DTR goes true. > Remember, > the COM console features give you CONSOLE access, and such access should > not be taken lightly! Exactly my point! But how do we satisfy the need for remote access to the console? One needs some sort of firewall. Another Unix BOX with null modem as you suggest below) will do it. but how do you protect that machine? Besides, this arrangement is no different than a terminal server and it introduces a single point of failure. No good. > So DON'T use a modem on a COM console. Configure a regular serial port > instead. That is obviously clear (clearly obvious?), but does not answer the question: What would you recommed as a SECURE remote console access? > If you need to use the console remotely, and want to use COM console > for > this, use another FreeBSD box with a null modem cable to the console > port. > Or, you could use a terminal server for this (this is what I do, mainly > because I have a two spare Portmasters). I am thinking of a product definition for hundreds of world-wide installation. we want a secure remote port. Having a terminal server is a reasonable way to doit, but it is a SPOF. Buth security and availability wise. Simon
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?XFMail.970628013254.Shimon>