The Cyclades TS800 (2005/2006 - Present) appliance runs embedded Linux and provides serial line console access to various machines in the CSL Machine Room. It was originally thought to be an Ethernet mini-switch because of its resemblance to one. It was given to the Syslab as part of the "Morasca gift package" during the 2005-2006 school year. Its FQDN in DNS is serial.sun.tjhsst.edu since its primary job is to provide serial lines to the Sun servers.
While we use it to provide serial line access ("Console Access Server"), the appliance can also be used as a "Terminal Server" (mainframe/greenscreen-type terminals) and "Remote Access Server" (dial-in; modems can be connected).
This model includes 8 RJ-45 RS232 serial ports, as well as 1 RJ-45 RS232 console port (management) and 1 10/100 Ethernet port. It is a Cyclades TS800 and had 2 MPC855T CPUs (PowerPC Dual-CPU), 32MB RAM, a 10/100BT NIC, 4MiB flash, and ran Embedded Linux kernel 2.2.14.
Accessing the Console Server
The console server can be accessed via SSHv2 (recommended), SSHv1, telnet, HTTPS, and HTTP. It should be noted that the web interface authenticates separately from the rest of the system, and is only used for administration (although everything can be done on the command line, which is recommended).
To access the console server, SSH to the device as the user "menu". The password should match that of the KVM in the Machine Room. After successfully authenticating, you will be provided with a menu presenting a list of the servers connected to the console server. Pick one, and you will be asked to authenticate again. For security reasons, all console users should have their own ID and password. Also, the console server root user is not allowed to access any serial consoles.
The console server does support sending a serial break signal (it will translate telnet break).
To access the Cyclades for configuration, the web interface is available, or you can SSH to the device as the user root.
The primary configuration file is /etc/portslave/pslave.conf. An improved version of 'vi' (but not quite vim) is available to use for editing. After updating configuration, run 'signal_ras hup' to reset the internal console server program. When you are ready to "preserve" your configuration across power cycles, run 'saveconf' (which will save all files listed in /etc/config_files) into flash memory. In addition to the default list of files, we have added /etc/motd, /root/.profile, and /bin/menush.cfg.
Menush, the default shell we assign to users (see Authentication/Security), is probably the predecessor to ts_menu. We don't use menush for serial line access because it is painfully slow when there are many menu entries to list. It is configured by running menush_cfg, and configuration is stored in /bin/menush.cfg. Menush is only used to allow users to change their passwords (we have defined one menu entry that runs "passwd").
We have heavily modified the portslave configuration file, especially so that ports have real names (vs. ttyS5) and the server is generally more secure. The Cyclades also has the ability to log to an external syslog host (syslog-ng). In addition to the default logging of messages to active root ssh sessions, we are currently forwarding logging to the syslog IP, currently assigned to moon. Note that some log entries will be sent to /var/adm/messages, yet not appear in /var/log/syslog. Other places the device will log to are /var/log/authlog and /var/log/local7. The device can also buffer/save serial port output, locally or to an NFS server, but we don't currently use this feature.
The Cyclades natively supports many forms of authentication, including LDAP and SecurID tokens (Kerberos not supported at time of writing).
As was mentioned above, the account that should be used for accessing serial lines is "menu". This account should be assigned /bin/ts_menu as the shell, and its password should be the same as the KVM password.
In our configuration, we simply use "local" authentication. While capable of using shadow passwords, we do not currently have them turned on (hashes are stored directly in /etc/passwd). Also, everyone that should have access to a machine connected to the console server should have their own user with shell set to /bin/menush.
A directive in pslave.conf, "all.users ! *", prohibits any user from accessing any port unless explicitly allowed. To keep things clean, we define certain groups for each port, such as "sun_adm" or "cluster_adm". There is also a group, "all_adm", that should always have access to all ports. The "all_adm" group is also privileged in that it is the only group that can "tag on" to an already connected session, use 'sniff' sessions (see manual), and disconnect users that are connected to ports. The console server root user should only be used to modify the configuration, and should also be the only user that can get shell access to the console server. The root user should not be granted access to serial ports.
Changing User Passwords
When users are first created by the TS administrator, they will probably be assigned a default password of some sort. In order to allow users to change their own passwords without an administrator being required to login as root first, we have setup all user accounts to use /bin/menush as the login shell. To change your user password, ssh to the serial console as the username you were assigned. After logging in, you will be presented with a menu that will allow you to change your password or exit the SSH session.
Note that after changing a password, the administrator should be notified so that the changes can be saved to flash.
(a.k.a. powering off, shutdown, init 0)
Although this is an appliance and does not contain a hard disk, there is still a recommended process for shutting it down. First, SSH in to the appliance as root and make sure no one else is currently using the device ("w"). Then, run "saveconf" to make sure any configuration and password changes since last saveconf are preserved in flash memory. Run init 0 and wait for the device to power off. Turn the hardware power switch off.
Firmware version (upgraded from shipped version): 1.4.0-3
Included in the OEM box:
- Cyclades TS800 Console Server
- Modem cable (RJ45 to DB25M)
- 9-pin serial adapter(cross-over type, DB9F)
- 25-pin serial adapter(cross-over type, DB25F)
- 25-pin serial adapter(cross-over type, DB25M)
- Cisco/Sun Netra pin reconfiguration adapter(RJ45 pass-through)
- Power cable
- Operating manual
Ordered from Cyclades:
- (7/10/2006) 4x 25-pin serial adapter(cross-over type, DB25M)
- (7/10/2006) 2x 9-pin serial adapter(cross-over type, DB9F)
Other equipment in the CSL that can be used with the Cyclades, but was not part of the OEM package:
- 9-pin serial adapter(type unknown, DB9F, previously used for the Cisco Catalyst 4006)
- 25-pin serial adapter(probably straight-through type, DB25M)
- General information on the TS series on the Cyclades website
- Cyclades Online Store (it seems that this website does not exist any more, it used to be linked to from the above website)