Using conserver to control serial consoles in Fedora 20 (heisenbug)

[gdt]

At some point logging into a bastion host to run Minicom becomes tiring. You really want a console server so you can access the serial console from your workstation. The prime candidate in Linux is conserver. Unfortunately the instructions to set it up are quite obscure, so this posting demonstrates conserver on Fedora 20.

Installing conserver

Conserver ships as two packages: conserver-client, to be installed on every machine which want to use the console server; and conserver, the console server itself, to be installed on the serving machine.

client$ sudo yum install conserver-client
server$ sudo yum install conserver conserver-client

Server configuration: system aspects

Edit /etc/hosts.allow to permit and restrict access to conserver. This example allows global access:

conserver: ALL

Add a group to control access to the serial consoles. This example uses "conserverin":

server$ sudo groupadd -r conserverin

Add each user you want to be able to use the serial consoles to that group:

server$ sudo usermod -a -G conserverin vk5tu

Add a PAM module to allow conserver to check passwords. Add a file /etc/pam.d/conserver containing:

#%PAM-1.0
session    optional     pam_keyinit.so force revoke
auth       required	pam_shells.so
auth       required     pam_securetty.so
auth       required     pam_listfile.so item=user sense=deny file=/etc/security/conserver/blacklist.conf onerr=succeed
auth       include      password-auth
account    required     pam_nologin.so
account    include      password-auth
session    required     pam_loginuid.so
session    include	password-auth

Server configuration: Conserver aspects

Now for the main event, the configuration of the conserver daemon itself.

Tell conserver to use PAM for password authentication by having /etc/conserver.passwd consist solely of:

*any*:*passwd*

The remaining configuration is in /etc/conserver.cf. The configuration phrases are documented in man manual page conserver.cf(5).

We will configure two serial consoles: for /dev/ttyrouter and /dev/ttyswitch. A previous posting [1] discusses setting up symlinks for serial devices so we don't hardcode possibly-changing port numbers. These devices are RS-232 serial consoles with all control and handshake lines present and correct, as discussed in previous postings [2], [3] about RS-232 cabling. These days serial consoles typically run at 9 600bps, 8 data bits, no parity, 1 stop bit-time, although there is a trend towards running at the fastest speed supported by the UART, typically 115 200bps.

Firstly, let's set the scene:

config * {
    autocomplete no;
    # Prompt for userid and password.
    defaultaccess allowed;
    sslrequired yes;
}

group congroup {
    users @conserverin;
}

Secondly, let's define a RS-232 device with typical serial terminal settings:

break 1 {
    # \z is RS-232 break signal.
    string "\z";
}
default condefault {
    baud 9600;
    # Only one allowable type of break, the RS-232 break.
    break 1;
    breaklist 1;
    # A serial TTY in /dev
    type device;
    master localhost;
    motd "Press Ctrl+E c . to exit";
    # No XON/XOFF handshaing, CTS/RTS handshaking, send SIGHUP on loss of DCD,
    # drop all control lines until someone wants to use the terminal.
    options !ixon, !ixoff, crtscts, hupcl, ondemand;
    parity none;
    # Copy bytes from console exactly.
    protocol raw;
    rw congroup;
    # Log connections, disconnections and use of break.
    timestamp a b;
}

Finally, let's configure each serial console:

console router {
    include condefault;
    device /dev/ttyrouter;
}
console switch {
    include condefault;
    device /dev/ttyswitch;
}

Conserver has one very nice feature. It can record console traffic which appears when no one is logged in. So if you have a test farm for testing embedded devices then conserver can catch any console output, such as a kernel crash. This "options" line will do the job:

default condefault {
    …
    options !ixon, !ixoff, crtscts, hupcl, unloved, reinitoncc;
    …
}

Client configuration

On each client, including on the server, add a configuration file /etc/console.cf containing:

config * {
    master server.example.edu.au;
    sslrequired yes;
}

If you want to be fancy you can set the XTerm heading to show which serial system has been connected to:

terminal xterm-256color {
    attach "^[]0;U@C^G";
    attachsubst U=us,C=cs;
}
terminal xterm {
    attach "^[]0;U@C^G";
    attachsubst U=us,C=cs;
}

Client use

From a machine with an installed client say console name, such as:

client$ console router
Enter vk5tu@server.example.edu.au's password: uJLOG7Z79zk0ivAehipZhuZ6
[Enter `^Ec?' for help]
[-- MOTD -- Press Ctrl+E c . to exit]

Router>

Server configuration: further features

This conserver configuration uses SSL with temporary certificates. It is a much better idea to set up your own certificate authority and issue server and client keys. Then you can allow global network access to conserver whilst still controlling which clients can connect. Clients also have the reassurance that the correct server has been connected to, prior to prompting users for their name and password.

Comments

[tcpip.livejournal.com]

Thanks for this. Many years ago I used Minicom with regularity, and quite liked it at the time, even if it was a bit long in the tooth at the time. Good to know there's an update.