CONSERVER(8) | conserver | CONSERVER(8) |
conserver - console server daemon
conserver [-7dDEFhinoRSuvV] [-a type] [-m max] [-M master] [-p port] [-b port] [-c cred] [-C config] [-P passwd] [-L logfile] [-O min] [-U logfile]
Conserver is the daemon that manages remote access to system consoles by multiple users via the console(1) client program and (optionally) log the console output. It can connect to consoles via local serial ports, Unix domain sockets, TCP sockets (for terminal servers and the like), or any external program.
When started, conserver reads the conserver.cf(5) file for details of each console. The console type, logging options, serial or network parameters, and user access levels are just a few of the things that can be specified. Command-line options are then applied, possibly overriding conserver.cf(5) settings. Conserver categorizes consoles into two types: those it should actively manage, and those it should just know about, so it can refer clients to other conserver instances. If the master value of a console matches the hostname or ip address of the local machine, conserver will actively manage the console. Otherwise, it's considered a ``remote'' console and managed by a different server. Conserver forks a child for each group of consoles it must manage and assigns each process a port number to listen on. The maximum number of consoles managed by each child process is set using the -m option. The console(1) client program communicates with the master console server process to find the port (and host, in a multi-server configuration) on which the appropriate child is listening. Conserver restricts connections from clients based on the host access section of its conserver.cf(5) file, restricts users based on the console access lists of the conserver.cf(5) file, and authenticates users against its conserver.passwd(5) file. Conserver can also restrict clients using the tcp-wrappers package (enabled using --with-libwrap). This authentication is done before consulting the conserver.cf(5) access list.
When Unix domain sockets are used between the client and server (enabled using --with-uds), authentication checks are done on the hardcoded address ``127.0.0.1''. Automatic client redirection is also disabled (as if the -R option was used) since the client cannot communicate with remote servers. The directory used to hold the sockets is checked to make sure it's empty when the server starts. The server will not remove any files in the directory itself, just in case the directory is accidentally specified as ``/etc'' or some other critical location. The server will do its best to remove all the sockets when it shuts down, but it could stop ungracefully (crash, ``kill -9'', etc) and leave files behind. It would then be up to the admin (or a creative startup script) to clean up the directory before the server will start again.
Conserver completely controls any connection to a console. All escape sequences given by the user to console are passed to the server without interpretation. The server recognizes and processes all escape sequences.
The conserver parent process will automatically respawn any child process that dies. The following signals are propagated by the parent process to its children.
Consoles which have no current client connection might produce important error messages. With the -u option, these ``unloved'' errors are labeled with a machine name and output on stdout (or, in daemon mode, to the logfile). This allows a live operator or an automated log scanner to find otherwise unseen errors by watching in a single location.
Conserver must be run as root if it is to bind to a port under 1024 or if it must read protected password files (like shadow passwords) for authentication (see conserver.passwd(5)). Otherwise, it may be run by any user, with -p used to specify a port above 1024.
If encryption has been built into the code (--with-openssl), encrypted client connections (without certificate exchanges) happen by default. To add certificate exchanges, use the -c option with the client and server. For authentication of the certificates to work, the signing certificate must be properly trusted, which usually means the public portion is in OPENSSL_ROOT/ssl/certs (on both the client and server sides). See the sample self-signing certificate making script contrib/maketestcerts for further clues. To allow non-encrypted client connections (in addition to encrypted client connections), use the -E option.
Options may be given as separate arguments (e.g., -n -d) or clustered (e.g., -nd). Options and their arguments may be separated by optional white space. Option arguments containing spaces or other characters special to the shell must be quoted.
The protocol used to interact with the conserver daemon has two basic styles. The first style is the initial line-based mode, which occurs before connecting to a console. The second style is the character-based, escape-sequence mode, while connected to a console.
The initial line-based mode begins the same for both the master process and its children. Upon a successful (non-rejected) client connection, an ``ok'' is sent. The client then issues a command and the server responds to it with a result string (``ok'' being the sign of success for most commands). The commands available are ``help'', ``ssl'' (if SSL was built into the code), ``login'', and ``exit''. Using the ``login'' command, the client authenticates and gains access to the extended command set. This is where the master process and its children differ. The master process gives the client access to global commands, and the child provides commands for interacting with the consoles it manages. The ``help'' command, in both cases, will provide a complete list of commands and a short description of what they do.
The second, character-based, style of interaction occurs when the client issues the ``call'' command with a child process. This command connects the client to a console and, at that point, relays all traffic between the client and the console. There is no more command-based interaction between the client and the server, any interaction with the server is done with the default escape sequence.
This is, by no means, a complete description of the entire client/server interaction. It is, however, a brief explanation in order to give a idea of what the program does. See the PROTOCOL file in the distribution for further details.
The following default file locations may be overridden at compile time or by the command-line options described above. Run conserver -V to see the defaults set at compile time.
Additionally, output from individual consoles may be logged to separate files specified in conserver.cf(5).
I'm sure there are bugs, I just don't know where they are. Please let me know if you find any.
Thomas A. Fine, Ohio State Computer Science
Kevin S Braunsdorf, Purdue University Computing Center
Bryan Stansell, conserver.com
2020/10/19 | conserver-8.2.6 |