From owner-freebsd-hackers@FreeBSD.ORG Wed Feb 20 12:26:08 2013 Return-Path: Delivered-To: hackers@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 56B1C5DC for ; Wed, 20 Feb 2013 12:26:08 +0000 (UTC) (envelope-from doconnor@gsoft.com.au) Received: from cain.gsoft.com.au (cain.gsoft.com.au [203.31.81.10]) by mx1.freebsd.org (Postfix) with ESMTP id BD657DD9 for ; Wed, 20 Feb 2013 12:26:07 +0000 (UTC) Received: from ur.dons.net.au (ppp118-210-241-76.lns20.adl6.internode.on.net [118.210.241.76]) (authenticated bits=0) by cain.gsoft.com.au (8.14.4/8.14.3) with ESMTP id r1KCPL0h062123 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Wed, 20 Feb 2013 22:55:48 +1030 (CST) (envelope-from doconnor@gsoft.com.au) Subject: Re: Chicken and egg, encrypted root FS on remote server Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\)) Content-Type: text/plain; charset=iso-8859-1 From: "Daniel O'Connor" In-Reply-To: <20130220111339.GA65661@psconsult.nl> Date: Wed, 20 Feb 2013 22:55:47 +1030 Content-Transfer-Encoding: quoted-printable Message-Id: <8C2980B2-3B2C-4081-9287-39EFB47ABC3D@gsoft.com.au> References: <20130220065810.GA25027@psconsult.nl> <20130220074655.GA59952@psconsult.nl> <20130220111339.GA65661@psconsult.nl> To: Paul Schenkeveld X-Mailer: Apple Mail (2.1499) X-Spam-Score: 0.163 () BAYES_00,RDNS_DYNAMIC X-Scanned-By: MIMEDefang 2.67 on 203.31.81.10 Cc: hackers@freebsd.org X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Feb 2013 12:26:08 -0000 On 20/02/2013, at 21:43, Paul Schenkeveld wrote: >> What about getting a remote console like HP's ILO or Dell's DRAC ? >>=20 >> You get to login remotely, you can use some degree of access = control... you can even remote boot. >=20 > For new hardware I could indeed use this, the current hardware does = not > support remote console. >=20 > I don't have experience with ILO nor DRAC but I do have experience = with > SuperMicro's KVM over LAN which does need a java client to run. If I = can > enter the passphrase over ssh that would be better as I can use any = device > including a smartphone to dial in and enter the passphrase. If you setup a serial console you don't need Java if you use ipmitool, = eg ipmitool -H remoteip -U ADMIN -I lanplus sol activate The way IPMI graphical console stuff _stinks_ - I spent several hours = trying to help a customer and I was stymied at every level trying to = work out how to use SSH port forwarding to have the console Java client = connect to the remote server (for example, it ignores system wide SOCKS = proxy settings). In the end I used tun forwarding which was just stupid - it really is = written assuming everyone uses a VPN. There is no logic behind the use = of the VNC protocol but bastardised enough that normal clients can = connect. That inspired me to send a longer rant to Supermicro about it, maybe = nothing will come of it but I feel better ;) -- Daniel O'Connor software and network engineer for Genesis Software - http://www.gsoft.com.au "The nice thing about standards is that there are so many of them to choose from." -- Andrew Tanenbaum GPG Fingerprint - 5596 B766 97C0 0E94 4347 295E E593 DC20 7B3F CE8C