Enabling all available ttys if available console

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

Enabling all available ttys if available console

Glen Barber-6
Hi,

For several months now, I have been contemplating enabling all active
ttys on the system by 1) changing the defaults from std.9600 to 3wire,
and 2) setting ttyu{0,1,2,3} from 'off' to 'onifconsole'.

The only drawback to doing this that I can think of is it could open
a potential attack vector, however this would require physical access to
the system.

The benefit to doing this is the system would be accessible via ttys
other than ttyu0 by default, which unless there is someone with local
access to the system, is painful for administrators to gain console
access remotely by default.

Are there objections to changing the default, or have I missed something
larger in this proposed change?

Thanks in advance.

Glen


signature.asc (836 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Enabling all available ttys if available console

Glen Barber-6
On Mon, Oct 19, 2015 at 05:12:15PM +0000, Glen Barber wrote:

> Hi,
>
> For several months now, I have been contemplating enabling all active
> ttys on the system by 1) changing the defaults from std.9600 to 3wire,
> and 2) setting ttyu{0,1,2,3} from 'off' to 'onifconsole'.
>
> The only drawback to doing this that I can think of is it could open
> a potential attack vector, however this would require physical access to
> the system.
>
> The benefit to doing this is the system would be accessible via ttys
> other than ttyu0 by default, which unless there is someone with local
> access to the system, is painful for administrators to gain console
> access remotely by default.
>
> Are there objections to changing the default, or have I missed something
> larger in this proposed change?
>
I should have also added that the change I propose is the default for
all architectures except amd64, i386, pc98, and mips.  This would
effectively enable the same behavior across all architectures.

Glen


signature.asc (836 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Enabling all available ttys if available console

Baptiste Daroussin-2
In reply to this post by Glen Barber-6
On Mon, Oct 19, 2015 at 05:12:15PM +0000, Glen Barber wrote:

> Hi,
>
> For several months now, I have been contemplating enabling all active
> ttys on the system by 1) changing the defaults from std.9600 to 3wire,
> and 2) setting ttyu{0,1,2,3} from 'off' to 'onifconsole'.
>
> The only drawback to doing this that I can think of is it could open
> a potential attack vector, however this would require physical access to
> the system.
>
> The benefit to doing this is the system would be accessible via ttys
> other than ttyu0 by default, which unless there is someone with local
> access to the system, is painful for administrators to gain console
> access remotely by default.
>
> Are there objections to changing the default, or have I missed something
> larger in this proposed change?
>
> Thanks in advance.
>
> Glen
>
That would save a lot of pain in production servers, where different
manufacturers means differents ports available etc.

Big +1 for me.

best regards,
Bapt

signature.asc (188 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Enabling all available ttys if available console

John-Mark Gurney-2
In reply to this post by Glen Barber-6
Glen Barber wrote this message on Mon, Oct 19, 2015 at 17:12 +0000:

> For several months now, I have been contemplating enabling all active
> ttys on the system by 1) changing the defaults from std.9600 to 3wire,
> and 2) setting ttyu{0,1,2,3} from 'off' to 'onifconsole'.
>
> The only drawback to doing this that I can think of is it could open
> a potential attack vector, however this would require physical access to
> the system.
>
> The benefit to doing this is the system would be accessible via ttys
> other than ttyu0 by default, which unless there is someone with local
> access to the system, is painful for administrators to gain console
> access remotely by default.
>
> Are there objections to changing the default, or have I missed something
> larger in this proposed change?
>
> Thanks in advance.

Please do this.

--
  John-Mark Gurney Voice: +1 415 225 5579

     "All that I will do, has been done, All that I have, has not."
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-arch
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: Enabling all available ttys if available console

Mark Felder
In reply to this post by Glen Barber-6


On Mon, Oct 19, 2015, at 12:12, Glen Barber wrote:

> Hi,
>
> For several months now, I have been contemplating enabling all active
> ttys on the system by 1) changing the defaults from std.9600 to 3wire,
> and 2) setting ttyu{0,1,2,3} from 'off' to 'onifconsole'.
>
> The only drawback to doing this that I can think of is it could open
> a potential attack vector, however this would require physical access to
> the system.
>
> The benefit to doing this is the system would be accessible via ttys
> other than ttyu0 by default, which unless there is someone with local
> access to the system, is painful for administrators to gain console
> access remotely by default.
>
> Are there objections to changing the default, or have I missed something
> larger in this proposed change?
>
> Thanks in advance.
>
> Glen
>

I hate later finding that serial console isn't working... I also would
appreciate it.


--
  Mark Felder
  ports-secteam member
  [hidden email]
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-arch
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: Enabling all available ttys if available console

Devin-2
In reply to this post by John-Mark Gurney-2

> On Oct 19, 2015, at 11:51 AM, John-Mark Gurney <[hidden email]> wrote:
>
> Glen Barber wrote this message on Mon, Oct 19, 2015 at 17:12 +0000:
>> For several months now, I have been contemplating enabling all active
>> ttys on the system
>
> Please do this.
>

+1

_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-arch
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: Enabling all available ttys if available console

Glen Barber-6
In reply to this post by Glen Barber-6
On Mon, Oct 19, 2015 at 05:12:15PM +0000, Glen Barber wrote:

> For several months now, I have been contemplating enabling all active
> ttys on the system by 1) changing the defaults from std.9600 to 3wire,
> and 2) setting ttyu{0,1,2,3} from 'off' to 'onifconsole'.
>
> The only drawback to doing this that I can think of is it could open
> a potential attack vector, however this would require physical access to
> the system.
>
> The benefit to doing this is the system would be accessible via ttys
> other than ttyu0 by default, which unless there is someone with local
> access to the system, is painful for administrators to gain console
> access remotely by default.
>
> Are there objections to changing the default, or have I missed something
> larger in this proposed change?
>
Based on the replies so far, unless there are no objections by tomorrow,
I'll commit the change.

Thanks to everyone who replied.

Glen


signature.asc (836 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Enabling all available ttys if available console

Warner Losh
On Mon, Oct 19, 2015 at 3:00 PM, Glen Barber <[hidden email]> wrote:

> On Mon, Oct 19, 2015 at 05:12:15PM +0000, Glen Barber wrote:
> > For several months now, I have been contemplating enabling all active
> > ttys on the system by 1) changing the defaults from std.9600 to 3wire,
> > and 2) setting ttyu{0,1,2,3} from 'off' to 'onifconsole'.
> >
> > The only drawback to doing this that I can think of is it could open
> > a potential attack vector, however this would require physical access to
> > the system.
> >
> > The benefit to doing this is the system would be accessible via ttys
> > other than ttyu0 by default, which unless there is someone with local
> > access to the system, is painful for administrators to gain console
> > access remotely by default.
> >
> > Are there objections to changing the default, or have I missed something
> > larger in this proposed change?
> >
>
> Based on the replies so far, unless there are no objections by tomorrow,
> I'll commit the change.
>
> Thanks to everyone who replied.


Any chance we  can move the tip entries from 9600 to 115200 too for the
other direction?

Warner
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-arch
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: Enabling all available ttys if available console

Glen Barber-6
On Mon, Oct 19, 2015 at 05:09:45PM -0600, Warner Losh wrote:

> On Mon, Oct 19, 2015 at 3:00 PM, Glen Barber <[hidden email]> wrote:
>
> > On Mon, Oct 19, 2015 at 05:12:15PM +0000, Glen Barber wrote:
> > > For several months now, I have been contemplating enabling all active
> > > ttys on the system by 1) changing the defaults from std.9600 to 3wire,
> > > and 2) setting ttyu{0,1,2,3} from 'off' to 'onifconsole'.
> > >
> > > The only drawback to doing this that I can think of is it could open
> > > a potential attack vector, however this would require physical access to
> > > the system.
> > >
> > > The benefit to doing this is the system would be accessible via ttys
> > > other than ttyu0 by default, which unless there is someone with local
> > > access to the system, is painful for administrators to gain console
> > > access remotely by default.
> > >
> > > Are there objections to changing the default, or have I missed something
> > > larger in this proposed change?
> > >
> >
> > Based on the replies so far, unless there are no objections by tomorrow,
> > I'll commit the change.
> >
> > Thanks to everyone who replied.
>
>
> Any chance we  can move the tip entries from 9600 to 115200 too for the
> other direction?
>
I don't see why not.

Glen


signature.asc (836 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Enabling all available ttys if available console

Ed Schouten-6
In reply to this post by Glen Barber-6
Hi Glen,

Sorry for the late reply.

2015-10-19 19:12 GMT+02:00 Glen Barber <[hidden email]>:
> Are there objections to changing the default, or have I missed something
> larger in this proposed change?

Quick question: how are you going to deal with TTYs that are hooked up
to null modem cables? As in, if you would hook up two systems to each
other that have such a configuration, you'll likely see that the
gettys start spamming each other.

--
Ed Schouten <[hidden email]>
Nuxi, 's-Hertogenbosch, the Netherlands
KvK-nr.: 62051717
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-arch
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: Enabling all available ttys if available console

Ed Schouten-6
2015-10-28 7:42 GMT+01:00 Ed Schouten <[hidden email]>:
> Quick question: how are you going to deal with TTYs that are hooked up
> to null modem cables? As in, if you would hook up two systems to each
> other that have such a configuration, you'll likely see that the
> gettys start spamming each other.

Oh, wait. You're using 'onifconsole', so the getty will only actually
work if you add it to the console list. Sounds good. :-)

--
Ed Schouten <[hidden email]>
Nuxi, 's-Hertogenbosch, the Netherlands
KvK-nr.: 62051717
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-arch
To unsubscribe, send any mail to "[hidden email]"