[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: start interactive program from shell script
- To: J Moore <jaymo@cullmail.com>
- Subject: Re: start interactive program from shell script
- From: Matt Provost <mprovost@termcap.net>
- Date: Tue, 1 Feb 2005 08:23:56 -0800
- Cc: misc@openbsd.org
- References: <20050130231640.GB16081@kingcull.cullmail.com> <1107140804.28447.2.camel@localhost.localdomain> <20050131043816.GC16081@kingcull.cullmail.com> <dc718edc05013021207b492084@mail.gmail.com> <20050131083525.GA27834@kingcull.cullmail.com>
- User-Agent: Mutt/1.5.4i
On Jan 31 02:35 AM, J Moore wrote:
<snip>
> Certainly... I need to administer a number of remote, embedded systems.
> These embedded systems have two interfaces: serial and ethernet. The
> ethernet interface supports only very limited functionality as the
> embedded systems are based on an 8-bit micro (the "Rabbit" I believe).
> According to the docs, telnet and http only are supported. There is no
> login required for the serial port, and telnet connections have a
> default password of "password". The password can be changed, but the
> default is restored at each reboot :)
>
> So - the security features of the embedded boxes are useless; they add
> nothing. I didn't design the embedded boxes, and they are not going to
> be re-designed anytime soon (in case you're thinking of the obvious
> solution of improving the embedded processor). Of course, security
> dictates the embedded boxes not be "direct connect" to any public
> network.
>
> One thought was to lash a Soekris (or comparable) running OBSD to each
> of the embedded boxes. Another was to use a single Soekris/OBSD at each
> location to act as a firewall/router, and isolate the embedded boxes on
> separate LAN. The best choice I think will depend on the physical
> security of the location, cost and other stuff. Cost and
> wiring/logistics considerations seem to favor a single Soekris/OBSD box
> per location with wifi to link embedded boxes back to the gateway.
>
> I'd actually prefer to use the serial interface to the embedded boxes,
> but this would require some additional hardware for each embedded box.
> In short, I don't see serial interface as a good, general option that'll
> work for all installations.
>
> Requirements for all the installations are still kinda' soft, but the
> telnet interface looks to be the most likely candidate now. So I'm
> trying to cobble something together that will facilitate access to the
> embedded boxes without doing awkward stuff like two logins to get to one
> box.
>
> Any thought or ideas would be appreciated.
>
> Jay
I think in this situation serial seems like a much better idea. I always
run insecure, embedded-type systems and any network gear that doesn`t
support SSH over serial instead. I'm not sure what serial hardware you
are talking about that will cost extra - not in comparison to the wifi
network that you are considering as an alternative anyway. Usually you
just buy a multiport serial card and that's it. These days they make
multiport USB serial devices that seem even cheaper but I haven't had
any firsthand experience with them.
Serial keeps insecure machines entirely off any network so you can
control all access from the secure openbsd server. I always use a
program called conserver (/usr/ports/comms/conserver) on the openbsd
server to make accessing the serial ports really easy - it can also do
some authentication for different levels of access etc. Since the serial
ports don't require a password you can just allow access for specific
users from conserver (or even by adjusting the ownership of the serial
ports in /dev).
It seems like the networking option is making things more complex than
they need to be. Maybe there is something complicating the serial
solution that I don't understand, but from here it seems like the way to
go.
Matt