Warning Livedoc is no longer being updated and will be deprecated shortly. Please refer to https://documentation.tjhsst.edu.

Cyclades TS800

From Livedoc - The Documentation Repository
Revision as of 17:28, 15 June 2006 by William Yang (talk | contribs) (Initial edit.)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

The Cyclades TS800 appliance runs embedded Linux and provides serial line console access to various machines in the CSL Machine Room. It was originally thought to be an Ethernet mini-switch because of its resemblance to one. It was given to the Syslab as part of the "Morasca gift package" during the 2005-2006 school year. Its FQDN in DNS is serial.sun.tjhsst.edu since its primary job is to provide serial lines to the Sun servers.

While we use it to provide serial line access ("Console Access Server"), the appliance can also be used as a "Terminal Server" (mainframe/greenscreen-type terminals) and "Remote Access Server" (dial-in; modems can be connected).

This model includes 8 RJ-45 RS232 serial ports, as well as 1 RJ-45 RS232 console port (management) and 1 10/100 Ethernet port.

Technical Specifications

Server Type Hardware type::
CPU MPC855T (PowerPC Dual-CPU)
RAM 32 MiB
Hard Disks 4 MiB Flash
OS ? Embedded Linux: kernel 2.2 ?
Purchase Date

Accessing the Console Server

The console server can be accessed via SSHv2 (recommended), SSHv1, telnet, HTTPS, and HTTP. It should be noted that the web interface authenticates separately from the rest of the system, and is only used for administration (although everything can be done on the command line, which is recommended).

To access the console server, SSH to the device as the user "menu". The password should match that of the KVM in the Machine Room. After successfully authenticating, you will be provided with a menu presenting a list of the servers connected to the console server. Pick one, and you will be asked to authenticate again. For security reasons, all console users should have their own ID and password. Also, the console server root user is not allowed to access any serial consoles. In the event that this is necessary, you can access a particular console port by using the generic name for that port (non-plural form; e.g. switch, sun, cluster) as the port username and the system root password (root password for the machine you are trying to access) for the port password.

The console server does support sending a serial break signal (it will translate telnet break).

Configuration

To access the Cyclades for configuration, the web interface is available, or you can SSH to the device as the user root.

The primary configuration file is /etc/portslave/pslave.conf. An improved version of 'vi' (but not quite vim) is available to use for editing. After updating configuration, run 'signal_ras hup' to reset the internal console server program. When you are ready to "preserve" your configuration across power cycles, run 'saveconf' (which will save all files listed in /etc/config_files) into flash memory.

Note that we have heavily modified the portslave configuration file, especially so that ports have real names (vs. ttyS5) and the server is generally more secure. While we do not currently utilize this feature, the Cyclades has the ability to log to an external syslog host (syslog-ng).

Authentication/Security

The Cyclades natively supports many forms of authentication, including LDAP and SecurID tokens (Kerberos not supported at time of writing).

In our configuration, we simply use "local" authentication. While it is capable of doing this, we do not currently have shadow passwords turned on (hashes are stored directly in /etc/passwd). Also, everyone that should have access to a machine connected to the console server should have their own user with shell set to /bin/false (-s /bin/false) and a uid of at least 1001 (-u [uid]). Root/general users should also be created as a fallback (they should have uids less than 1000, but should still have /bin/false as their shell). The guidelines for root/general users is the username should be the non-plural, full machine/machine group name (i.e. "sun", "afs", "fiordland", but not "suns" or "fiord"), and the password should be the machine root password.

A directive in pslave.conf, "all.users ! *", prohibits any user from accessing any port unless explicitly allowed. To keep things clean, we define certain groups for each port, such as "sun_adm" or "cluster_adm". There is also a group, "all_adm", that should always have access to all ports. The "all_adm" group is also privileged in that it is the only group that can use 'sniff' sessions, or, in other words, connect to already connected serial ports, as well as disconnect users that are connected to ports. The console server root user should only be used to modify the configuration, and should also be the only user that can get shell access to the console server. The root user should not be granted access to serial ports.

Current

Firmware version (upgraded from shipped version): 1.4.0-3

Occupied ports (planned): 7

Associated Equipment

Included in the OEM box:

  • Cyclades TS800 Console Server
  • Modem cable (RJ45 to DB25M)
  • 9-pin serial adapter(cross-over type, DB9F)
  • 25-pin serial adapter(cross-over type, DB25F)
  • 25-pin serial adapter(cross-over type, DB25M)
  • Cisco/Sun Netra pin reconfiguration adapter(RJ45 pass-through)
  • Power cable
  • Operating manual

Other equipment in the CSL that can be used with the Cyclades, but that did not in the box:

  • 9-pin serial adapter(type unknown, DB9F, previously used for the Cisco Catalyst 4006)
  • 25-pin serial adapter(probably straight-through type, DB25M)

External Links