From owner-freebsd-questions Fri May 22 17:14:45 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id RAA24172 for freebsd-questions-outgoing; Fri, 22 May 1998 17:14:45 -0700 (PDT) (envelope-from owner-freebsd-questions@FreeBSD.ORG) Received: from dc1.mfn.org (dc1.mfn.org [204.238.179.1]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id RAA24129 for ; Fri, 22 May 1998 17:14:37 -0700 (PDT) (envelope-from sysadmin@mfn.org) Received: from w3svcs.mfn.org (unverified [204.238.179.11]) by mail.mfn.org (EMWAC SMTPRS 0.83) with SMTP id ; Fri, 22 May 1998 19:16:56 -0500 Received: by w3svcs.mfn.org with Microsoft Mail id <01BD85B5.D4461760@w3svcs.mfn.org>; Fri, 22 May 1998 19:14:23 -0500 Message-ID: <01BD85B5.D4461760@w3svcs.mfn.org> From: "J.A. Terranson" To: "'freebsd-questions@freebsd.org'" Subject: Notes on serial consoles. Date: Fri, 22 May 1998 19:14:22 -0500 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Just for those of us who have recently been involved in this issue, a couple of quick notes: (1) After actually running with a serial console, you can disable root from loggin in on the console (we have done this to add a layer to the physical security. Not only do they have to get to the machine with a valid login, but *then* they have to su on top of it!). Simply create a sym link from /dev/console to the serial line in use for your console, probably /dev/ttyd0. Then edit /etc/ttys: uncomment the "console" line (be sure to set the correct speed) and make sure it is "on". Now comment out the "ttyd0" line, and Whala! No direct root access! This is really nice for loggin too: you KNOW who was on the box before the "su"! (2) We took out the "options UCONSOLE" with no ill effects, but then, this machine is not/will not have *anything* to do with X. (3) We took out "pseudo-devices pty (n)" with no ill effects, but then, this machine has no business talking to anyone not on the console... (4) We enabled AUTO_EOI_1 (with no ill effects) since we are (obviously) generating a lot more IRQ overhead with our serial console. AUTO_EOI_2 made this machine choke (*ancient* motherboard!). (5) We were unable to get the GPL_MATH_EMULATE to function on this setup, even though it works on other similar (but *not* identical) setups here. For the moment I am considering them to be incompatable. (6) It is interesting to note that we *thought* we had disabled the boot prompt "opportunity" by commenting out "USERCONFIG" and "USERCONFIG_BOOT", and "VISUAL_USERCONFIG". What makes this interesting is that there is NO change in the boot behaviour that I can see! (7) Just an aside, since it may not be obvious at first glance, the "sc0" driver is *NOT* included in the make. It *CAN* be however: we did it both ways with success. Pros: you can toggle back to the hardware console via /boot.config if you have to, cons: probably a security risk if you are expecting a tty to be syscons, and, of course, the kernel space it occupies (which is minimal actually). Thanks to all from whom information was gleaned, and good luck to all who hope to use this information! J.A. Terranson sysadmin@mfn.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message