Topic: remote e-smith-manager access failure

[Sergei Slobodov]

I am trying to set up a way to manage an e-smith gateway/server remotely from my home machine somewhere on the internet. I added the IP of my home machine to the "local network" list under remote administration. This allowed me to authenticate myself from that machine on port 980, but I can't get much further, because there is no menu on the left-hand side. http source shows that the menu frame has ip addresses of the internal network (e.g. 192.168.0.1), not names like e-smith.mydomain.com, and those obviously are not accessible from outside.

It's quite clear that I'm doing something wrong, but what is it? How do I allow e-smith management from a specific outside IP address? Can it be done with SSL to avoid snoopers? Should I use ssh? Please help me out!

For now, I work around by enabling local telnet access and running text-mode browser after logging in as admin, but I'm sure this is not the way it was intended...


Regards,
Sergei Slobodov

[Boris]

Don't "authenticate yourself", login as "admin"

[Jason Miller]

>I added the IP of my home machine to the "local network" list >under remote administration. This allowed me to authenticate >myself from that machine on port 980, but I can't get much >further, because there is no menu on the left-hand side. http >source shows that the menu frame has ip addresses of the >internal network (e.g. 192.168.0.1), not names like >e-smith.mydomain.com, and those obviously are not accessible >from outside.

Please don't do this.  The local networks is meant to be for *local* networks.  You're opening up a whole can of security worms by making an external ip *local*.

>It's quite clear that I'm doing something wrong, but what is it? >How do I allow e-smith management from a specific outside IP >address? Can it be done with SSL to avoid snoopers? Should I
>use ssh? Please help me out!

Yes.  Use ssh.  Actually, better yet, use e-smith 4.1 which was released on Monday: it already has ssh built in.  Plus the manager is built into the console menu (in lynx format).  Once you learn ssh, you can also learn about port forwarding and therefore allow yourself to see the e-smith manager as if you were right there on site.  Additional remote administration could also be achieved with the PPTP VPN settings also available in 4.1

>For now, I work around by enabling local telnet access and >running text-mode browser after logging in as admin, but I'm >sure this is not the way it was intended...

It somewhat is, except the telnet part.  We don't like telnet, so we added ssh ability to the remote connections settings in the manager.  During testing of 4.1 we found the text-mode browser to be highly useful (since it is right there on the menu).

Jason

[Sergei Slobodov]

Jason Miller wrote:

> Please don't do this.  The local networks is meant to be for
> *local* networks.  You're opening up a whole can of security
> worms by making an external ip *local*.

I use the GnatBox firewall a fair bit, and it has the ability to restrict services based on source IP address, which prevents most attempts to break in through telnet and ftp ports, as well as unauthorized priviledged web access. I hoped I achieve the same goal by making an specific external IP local.

Yeah, I know, e-smith is not a 100% firewall, but it's darn close, as far as I can tell...

> settings in the manager.  During testing of 4.1 we found the
> text-mode browser to be highly useful (since it is right
> there on the menu).

Except for the "backup to desktop" part, which doesn't work with lynx, and it would not be useful on a local console (or over ssh), anyway.

I'd much rather have an SSL (maybe even with two-way authentication) access from a select internet address to the configuration tool.

Sergei
>
> Jason

[Jason Miller]

>I'd much rather have an SSL (maybe even with two-way >authentication) access from a select internet address to the >configuration tool.

We're already thinking along those same lines actually.  We came close to putting the e-smtih manager available on SSL into the 4.1 release but it never made it in due to time and resource limitations.  

So its definately a priority and should make it into the product in a future version.  And we'll all benefit from that :>

Jay

[Sergei Slobodov]

I'm still wondering how do I perform "backup to desktop" with text-mode only admin access?

[Jason Miller]

You can't.  The text mode browser administrative menu is running directly on the server, therefore *not* on any client machine which means it has no idea where you are connecting from to send the backup file to.

So if you could make lynx (the tool actually showing the e-smith webmanager in text mode) grab the file, the best you could do is to back it up directly onto the server, which is not overly useful.

You can only do the 'backup to desktop' from a desktop on the network that has web browser capabilities.  Thats the point of the 'to desktop' part of the function.

Regards,

Jay

[Scott Smith]

Sorry, but that is not true. All of my systems manage the backup from the console using the lynx browser, and the backups are made to a floppy.

You can add a DOWNLOADER option to the lynx.cfg file, which basically defines a new program than can be executed from the lynx download screen, and do whatever you want with the download (ie, the e-smith backup file.) I've used this feature of lynx on my systems to implement, among other things:

1. The normal e-smith backup that is "downloaded" is stored to a floppy.

2. Some additional stuff I put on the server is also tarred, compressed, and backed up to the floppy.

3. A custom restore program is put on the floppy that knows how to restore both of the above files.

There is no reason the above approach could not be expanded to handle multiple floppies, ftp upload of a backup to another system, backup to tape, etc.

Now for the downside. While the lynx browser does support an UPLOADER option via the config file, IT DOES NOT WORK UNDER LINUX. Bummer.

[Sergei Slobodov]

How do you restore the configuration then?

Scott Smith wrote:
>
> Now for the downside. While the lynx browser does support an
> UPLOADER option via the config file, IT DOES NOT WORK UNDER
> LINUX. Bummer.

[Scott Smith]

Since I backup to a floppy (in the server) part of what I have the downloader program do is copy a restore script to the floppy. No, it doesn't allow me to kick off the restore from the web manager, but since the restore would be from the console anyway, it is easy enough to login as root, mount the floppy, and run thre restore script.

If you wanted to restore via the web manager, you could define a new panel that would know how to run your restore, be it from floppy or tape or ftp or whatever.

[Charlie Brady]

Scott Smith wrote:

> Sorry, but that is not true. All of my systems manage the
> backup from the console using the lynx browser, and the
> backups are made to a floppy.

It may not be always true, but it is true in general. It will be a rare case when it is possible to fit a complete system backup onto a floppy disk.

Charlie

[Scott Smith]

Sorry, but you've taken my comment somewhat out of context. I was referring to this comment by Jason Miller:

> You can't.  The text mode browser administrative menu is
> running directly on the server, therefore *not* on any client
> machine which means it has no idea where you are connecting
> from to send the backup file to.

This is in reference to being able to direct the destination of the backup, not to whether or not the backup will fit on a floppy.

[Charlie Brady]

Scott Smith wrote:
 
> Sorry, but you've taken my comment somewhat out of context. I
> was referring to this comment by Jason Miller:
>
> > You can't.  The text mode browser administrative menu is
> > running directly on the server, therefore *not* on any client
> > machine which means it has no idea where you are connecting
> > from to send the backup file to.
>
> This is in reference to being able to direct the destination
> of the backup, not to whether or not the backup will fit on a
> floppy.

Sorry if I misrepresented your statement.

It *is* possible to backup from the text mode browser administrative menu. However it is rarely useful to do so.

How's that sound?

Charlie

[Scott Smith]

Charlie Brady wrote (among other things):
>
> Sorry if I misrepresented your statement.
>
> It *is* possible to backup from the text mode browser
> administrative menu. However it is rarely useful to do so.
>
> How's that sound?

No offense taken

Nice to know I'm one of the rare cases, though!