Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 29 Jan 1998 16:38:40 +0000
From:      Karl Pielorz <kpielorz@tdx.co.uk>
To:        Adam Turoff <AdamT@smginc.com>
Cc:        hackers <hackers@FreeBSD.ORG>
Subject:   Re: WebAdmin (was: RE: /usr/src/release/sysinstall needs YOU. :-))
Message-ID:  <34D0B090.5061FE9C@tdx.co.uk>
References:  <34D0D540@smginc.com>

next in thread | previous in thread | raw e-mail | index | archive | help
Hmmm...

I don't often throw my 2 pennies worth in, but here goes...

The company where I'm working now have several FreeBSD machines, and 1
competent BSD 'maintainer' (guess who?).

People have been asking me 'how do I set-up users, please set this up, please
do this, please change that password' etc. - and I've come up with a solution
- there is very little code written so far, and what is written is probably
more aimed at maintaining a system that is 'up' rather than setting a new one
up from scratch...

Here goes...

On each machine we run an 'admind' process (admin. daemon). Now all our
machines are firewalled correctly, so only internal machines on our Company
LAN can connect on the AdminD port - but even so, I still intend to use
passwords / encryption etc.

Once AdminD is running - people (administrators) connect to that port, 'login'
(and get assigned a session ID / encryption key etc.) - and can then 'control'
the machine...

A lot of this is based on SMTP / POP3 conversation style stuff, e.g. you might
send a command to that port to 'ADDUSER "username", "password", "group",
"homedir", "shell"' etc. - the box then goes off and does this - tells you
whether it could or couldn't etc, likewise a 'LISTSMTPVIRTUALDOMAIN' command
will return a nice list of all the SMTP Virtual domains the server supports,
which again can be read and displayed by the client...

I know this solution isn't perfect, but it's not doing too bad so far... We
have Win 32 clients (written in VB) which connect to it at the moment, though
there's no reason why these couldn't be Java clients.

The client is 'dumb', all it has to do is prompt for the right information -
make sure it's sensible - then submit it to the server to have it carried out.
Any errors are returned as text, or error codes - which the client can display
to the user.

Right - that's the 'rough' outline, please flame away...

(On a serious note, sufficiently little of this has been coded for me to
change to a different system - if we can agree a 'better' way... I'm not too
hot for CGI / httpd doing all the work - hence the 'admind' approach - it
satisfies our main aim of secure administration from Win32 clients, using
'nice' and 'pretty' Win32 GUI elements).

I may be able to secure work time to help with such a project - if a few of us
can get together and decide how to implement it, and plan it out etc.

Regards,

Karl Pielorz


Adam Turoff wrote:
>
> >
> > Unfortunately, it would also seem that most people are only good for
> > suggesting that a Java or plain-HTML based admin tool would be a good
> > thing and not so much good for actually coding up the proof-of-concept
> > that'd be required to make it anything more than a simple and
> > often-made suggestion. ;-)
> >
> >                                         Jordan
> 
> OK.  Enough goading.  :-)
> 
> I'm doing perl based CGI to pay the bills and gradually getting up to
> speed on being a reasonable FreeBSD admin for a small workgroup.
> 
> I don't feel qualified enough to start down this path alone.  There
> are a lot of nontrivial security issues to deal with, and a lot of
> nontrivial configuration issues to deal with, too.
> 
> I'm in a situation where Netware Admins are rushing to get
> up to speed with NT, and I'm throwing FreeBSD in their faces
> at the same time.  I'll spare the anti-NT discussion here; no
> need preaching to the choir.
> 
> Here are a few things I'd like to see in a web-based admin tool:
>  - DNS administration
>  - user config
>  - ports management
>  - samba config (admin-loadable module?  :-) )
>  - NFS config
>  - mounting
>  - apache config (?)
>  - mirroring
>  - config replication (act like that machine there)
>  - lynx friendly
> 
> Of course, some of these issues are rife with security holes.
> Hopefully, used judiciously, it'll be a value add that will make
> FreeBSD more approachable to newbies.
> 
> My guess is that limiting access to clients coming from
> localhost would help, allowing access from a list of trusted
> clients as well.  The admin server could come up and down
> as needed rather than sitting there waiting to be abused.
> 
> My questions to -hackers at large would be:
>  - any other admin type things that should be included?
>  - any other security issues that should be considered?
>  - ideas for extensibility?
> 
> Hopefully I should have something started in a few weeks.
> 
>  -- Adam
> Rhythm deficient bassist for Necessity & the Mothers of Invention



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?34D0B090.5061FE9C>