I''m running a number of domU''s on a server, each with a console bound to a specific local port. I''d like to provide the users of my domU''s with access to the console, but I was wondering how people have been able to do this while limiting access to the console ports. That is, I could provide the users with a shell on the local machine, but then they could telnet into any console port they wanted -- I want them to be only able to telnet into the console port of their domU. Any ideas or suggestions? Thanks. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
> I''m running a number of domU''s on a server, each with a > console bound to a specific local port. I''d like to provide > the users of my domU''s with access to the console, but I was > wondering how people have been able to do this while limiting > access to the console ports. That is, I could provide the > users with a shell on the local machine, but then they could > telnet into any console port they wanted -- I want them to be > only able to telnet into the console port of their domU.You can use ssh''s forced command facility to allow suitably authenticated users to connect to the console on a particular vm. Ian _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Stephen Le wrote:> I''m running a number of domU''s on a server, each with a console bound > to a specific local port. I''d like to provide the users of my domU''s > with access to the console, but I was wondering how people have been > able to do this while limiting access to the console ports. That is, I > could provide the users with a shell on the local machine, but then > they could telnet into any console port they wanted -- I want them to > be only able to telnet into the console port of their domU.I vaguely recall iptables in very modern Linux kernels having (experimental?) support for rules that take into account the user attempting the connection. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On 10/16/05, Ian Pratt <m+Ian.Pratt@cl.cam.ac.uk> wrote:> You can use ssh''s forced command facility to allow suitably > authenticated users to connect to the console on a particular vm.>From what I''ve read, it appears that SSH''s forced command facilityonly works with public key authentication. Given the difficulties of getting every user to generate a SSH auth key and of managing them, I don''t think such a solution would be very practical. It appears that my best hope is using, as a login shell, a script that calls telnet. The script will determine the UID, lookup the appropriate console port, and launch a telnet session (with the escape character disabled). Anybody see anything wrong with that? _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On 10/16/05, Stephen Le <zeroion@gmail.com> wrote:> It appears that my best hope is using, as a login shell, a script that > calls telnet. The script will determine the UID, lookup the > appropriate console port, and launch a telnet session (with the escape > character disabled).I eventually realized that using a simple Perl script to launch "xm console <domU_name>" worked better that using telnet. I disabled SFTP and port forwarding on my SSH daemon, and I instructed my script die if it was passed any command line arguments in case somebody tried to instruct SSH to execute a command (ex. ssh user@server some_bad_command). _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users