Suggestions for remote admin of linux machines

Discussion in 'Linux Networking' started by George Patton, May 18, 2004.

  1. I need to move some servers to an unattended location and haven't been
    pleased with the methods for remote administration that have come to
    mind so far:

    Solution #1: XDMCP, pcanywhere, vnc, etc. Problem: An X-Server imposes
    too much overhead given the limited capabilities of the machines
    involved. (No, I don't want to replace the machines with the latest and
    greatest hardware :)).

    Solution #2: Serial console via cable and modem. Problem: We have a
    network interface but no spare phone line at the remote location.

    Solution #3: KVM over IP. Problem: I've priced out KVM switches with a
    network interface and they appear to be too expensive ($1500+).
    Unaffordable in the case at hand. For less money I could install a
    multiport serial card on a machine running x-windows and use this to
    control the machines via serial consoles. Still a bit pricey however
    because of limited sources for multiport serial cards.

    All of these solutions are less than appealing. Can someone recommend a
    better method? Or perhaps point me to an affordable source for KVM
    switches with network interfaces?
     
    George Patton, May 18, 2004
    #1
    1. Advertisements

  2. ["Followup-To:" header set to comp.os.linux.misc.]
    Keep in mind that VNC or X is not a complete "remote administration
    solution". You won't be able to get into the BIOS Setup, f'rexample.
    If you don't *need* that capability, X or VNC would work fine, but you
    need to be specific about your real needs.
    Same deal as VNC/X.
    That might allow you to get into the BIOS Setup, but if it costs too
    much, it costs too much.
    How about using ssh? This will work very similarly to option 2, but you
    won't need a phone line. You won't be able to get into the BIOS Setup,
    of course, and dealing with power failures/disk crashes at the remote
    site may require a road trip (make sure you're using ext3 or ReiserFS,
    so you'll have less chance of losing data) but it's something that's
    easy to implement and secure.
     
    Dances With Crows, May 18, 2004
    #2
    1. Advertisements

  3. George Patton

    nobody Guest

    : I need to move some servers to an unattended location and haven't been
    : pleased with the methods for remote administration that have come to
    : mind so far:

    : Solution #1: XDMCP, pcanywhere, vnc, etc. Problem: An X-Server imposes
    : Solution #2: Serial console via cable and modem. Problem: We have a
    : Solution #3: KVM over IP. Problem: I've priced out KVM switches with a

    Am I missing something ? - what's wrong with basic terminal login
    using SSH or the like?

    Stan
     
    nobody, May 18, 2004
    #3
  4. George Patton

    Dave Uhring Guest

    I admin 8 servers located at a local ISP from my home and I don't need no
    steeenking X to do it. Why do you? BTW, opening the X ports just
    provides another avenue of attack from the script kiddiez.
    Then you do the job over the Internet. Use ssh.

    Set up the machines to reboot after a power outage, use journalling
    filesystems on them and firewall them.
     
    Dave Uhring, May 18, 2004
    #4
  5. George Patton

    Andy Fraser Guest

    In comp.os.linux.misc, George Patton uttered these immortal words:
    Like most of the others said, use SSH. You might like to try Webmin over
    HTTPS too or a combination the two.
     
    Andy Fraser, May 18, 2004
    #5
  6. George Patton

    Bob Hauck Guest

    Does PC Anywhere even have a Linux version? If not, then that won't
    work. I wouldn't trust XDMCP over the Internet either.

    It kind of sounds like you might think X works like the Windows GUI
    where you somehow need to copy the display to the remote station. It is
    actually very different. X is a client-server system that inherently
    supports what you're trying to do. The X server needs to be running on
    the machine you sit in front of but not necessarily on the machine
    running the app. All that the remote machine needs is the X libraries
    which are a lot "lighter" than the X server itself.

    So my first suggestion would be SSH. It gives you an encrypted command
    line and you can also run X apps on the remote machine and forward the
    display back to your workstation. This is actually a lot easier than it
    sounds, just a one-time setup. You will need to run an X server on the
    machine you're sitting in front of but there is no need at all for an X
    server on the remote machine.

    Your Linux distro probably already has SSH included. If you will be
    administering from Windows, I'd google for "Cygwin". It provides an
    Unix enviornment on top of Windows that includes an X server and SSH.
    If you're using Linux or another Unix then all you need to do is install
    SSH since you probably have an X server.

    FWIW, another possibility would be something like Webmin. That lets you
    do many admin tasks using a web browser. Don't forget to use https!

    Finally, you really don't need all the "stuff". Just a command line
    running over SSH is quite sufficient once you learn the ropes.

    Indeed. That might be the only answer if you want to be able to change
    BIOS settings and such. Short of that it is probably overkill.
     
    Bob Hauck, May 18, 2004
    #6
  7. George Patton

    Bill Unruh Guest

    ]I need to move some servers to an unattended location and haven't been
    ]pleased with the methods for remote administration that have come to
    ]mind so far:

    I am confused. These machines have network connections you seem to say
    below. So just do it, by command line and scripts, via the network. No
    need for X, or pcanywhere or .... What kind of admin tasks?
    The only problem is that the machines may need on site if they crash
    (power failure, etc). YOu still cannot push the big red switch from a
    remote location.

    ]Solution #1: XDMCP, pcanywhere, vnc, etc. Problem: An X-Server imposes
    ]too much overhead given the limited capabilities of the machines
    ]involved. (No, I don't want to replace the machines with the latest and
    ]greatest hardware :)).

    ]Solution #2: Serial console via cable and modem. Problem: We have a
    ]network interface but no spare phone line at the remote location.

    So, use the network!

    ]Solution #3: KVM over IP. Problem: I've priced out KVM switches with a

    No idea what KVM is.
    It depends on how much remote admin you want to do. IF you really want
    to control the systems remotely as they boot up, then the network idea
    above will not work. But neither would the modem idea since there has to
    be something running on the machine to get at the modem. Xserver means
    that the machine is already up and running.

    ]network interface and they appear to be too expensive ($1500+).
    ]Unaffordable in the case at hand. For less money I could install a
    ]multiport serial card on a machine running x-windows and use this to
    ]control the machines via serial consoles. Still a bit pricey however
    ]because of limited sources for multiport serial cards.

    ]All of these solutions are less than appealing. Can someone recommend a
    ]better method? Or perhaps point me to an affordable source for KVM
    ]switches with network interfaces?

    Tell us what you want to be able to do via this "remote administration".
     
    Bill Unruh, May 18, 2004
    #7
  8. Not without special hardware. APC make smart power switches that you
    can telnet to and power cycle individual outlets remotely. Some remote
    administration tools (notably Sun's ALOM for their SPARC-based servers
    and ERA from Dell, presumably Compaq and IBM have similar offerings for
    their Intel-based servers) do actually allow remotely power cycling the
    machine.

    [snip]
    KVM = Keyboard, Video, Mouse switch---a common method for using one
    monitor/mouse/keyboard combination on several (local) systems.
     
    John-Paul Stewart, May 18, 2004
    #8
  9. George Patton

    Alan Connor Guest

    I like good old telnet. There's a script on the servers that accesses a VERY long
    list of names (runs as root). The list is not sent over the internet, and
    each name is used only once.

    Each time I login I have to create a file with the current name within a few seconds
    or it logs me out. Until that file is created, the shell is VERY restricted.

    Ssh takes a lot of space and other system resources that I have better uses for.

    AC
     
    Alan Connor, May 18, 2004
    #9
  10. -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
    NotDashEscaped: You need GnuPG to verify this message

    As others already answered, you just need ssh, it can do
    everything for you and more, while needing just one port. You can
    forward X through the ssh tunnel if you want/need to run X apps
    on the remote host.

    Here's a good starting point:

    http://www.openssh.org/faq.html

    You probably don't even need to install sshd at all, it should be
    installed per default on most Linux distro. Perhaps it is already
    running? Just make sure there's a recent version/vendor update
    installed.

    There are windoze clients, if you are limited to some M$ desktop,
    putty/winscp try a google search.

    Good luck

    --
    Michael Heiming (GPG-Key ID: 0xEDD27B94)
    mail: echo | perl -pe 'y/a-z/n-za-m/'
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.1 (GNU/Linux)

    iD8DBQFAqmK+AkPEju3Se5QRAmrUAJ0a31iqXqmLnPZ1ACEoGtirdFWoBACfawAw
    Aam1zThMhh3onoLwgM32VTA=
    =+M6E
    -----END PGP SIGNATURE-----
     
    Michael Heiming, May 18, 2004
    #10
  11. -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
    NotDashEscaped: You need GnuPG to verify this message

    Yep, ssh is all he needs.
    Sure you can, it just depends on your hardware, there are various
    vendors offering servers including such things. Allowing you to
    completely power down/up a system remotely, *nix(tm) server have
    this ability since decades. In absence of a graphic card, those
    can be controlled via serial connection. You can use a
    terminal-server or build your own, to concentrate those serial
    connections and make them available on the network.

    There are some add-on cards that make nearly the same possible:
    http://www.realweasel.com/

    --
    Michael Heiming (GPG-Key ID: 0xEDD27B94)
    mail: echo | perl -pe 'y/a-z/n-za-m/'
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.1 (GNU/Linux)

    iD8DBQFAqmdMAkPEju3Se5QRArFVAKDP4dFYSH6rB2nipowPj3BaYXQksACfYYM1
    Ymupv9tCsTP6xtZOysmQjlA=
    =7OHX
    -----END PGP SIGNATURE-----
     
    Michael Heiming, May 18, 2004
    #11
  12. George Patton

    Alan Connor Guest

    Which almost NO ONE has.

    And you KNOW that almost no one has it.

    So what the HELL is the point?

    The only person who ever forged your headers was someone
    that you were abusing and harassing the hell out of.

    As with me, you tried to bully them and they wouldn't back down.

    <snip>

    AC
     
    Alan Connor, May 18, 2004
    #12
  13. -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    All I know of is horrible old telnet. Where do you get the good, encrypted
    version?
    Look for a Linux version of "opiekey" which generates one-time passwords.
    Same idea, but more standardized and in widespread use on other system.
    I'm running a giant make job on a remote machine, which is dumping tens of
    thousands of lines over SSH to my local console, and `top' shows that ssh is
    using less that 0.1% of my CPU. Which resources does it use that you don't
    have in abundance?
    - --
    Kirk Strauser
    The Strauser Group
    Open. Solutions. Simple.
    http://www.strausergroup.com/
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.4 (GNU/Linux)

    iD8DBQFAqm/q5sRg+Y0CpvERAhTdAJ9jeH1ruNHl26++vg8Z8sgL15krLgCdFm5p
    zKxTI5h8olXTywO6qtSns5M=
    =xBga
    -----END PGP SIGNATURE-----
     
    Kirk Strauser, May 18, 2004
    #13
  14. -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
    NotDashEscaped: You need GnuPG to verify this message

    That you don't have it doesn't make your statement anymore true,
    gpg comes with almost any distro and many popular newsreader can
    make use of it, with just three clicks.

    Just a few seconds using google and it looks like YOUR newsreader
    slrn can use it perfectly:

    [http://digilander.libero.it/ebassi/slrn/index.html#macros]

    SLRN + GnuPG

    SLRN + GnuPG is a macro that allows you to sign and verify Usenet
    articles using GnuPG. It could also be used with PGP, although I
    reccomend using GnuPG, since it's open and free (as in Free
    Software).
    [download]
    Code:
    I'm sure you can get it working.
    [QUOTE]
    And you KNOW that almost no one has it.[/QUOTE]
    [QUOTE]
    So what the HELL is the point?[/QUOTE]
    [QUOTE]
    The only person who ever forged your headers was someone
    that you were abusing and harassing the hell out of.[/QUOTE]
    
    Alan, it doesn't matter how often you repeat that, it doesn't get
    any more right. I can't remember "abusing and harassing the hell
    out of" anyone.
    
    My posts are perhaps not as polished, but that might be my
    "style" and you can be lucky, it's not my native language.
    
    I'm just helping others, as others help me, that's how
    GNU/Linux/GPL works, it's as simple.;)
    [QUOTE]
    As with me, you tried to bully them and they wouldn't back down.[/QUOTE]
    
    ?
    
    Don't understand what you mean Alan, but then, I keep on reading
    rants from you, as soon as I take you out of my kill-file and I'm
    not really interested anymore in reading them.
    
    --
    Michael Heiming (GPG-Key ID: 0xEDD27B94)
    mail: echo  | perl -pe 'y/a-z/n-za-m/'
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.1 (GNU/Linux)
    
    iD8DBQFAqnQlAkPEju3Se5QRAi+5AJ9ZMLyYrxl0ZPhvlblW0qhiAWVguACdHA4c
    iBi3cIqcMYmchN3qK01DN/k=
    =iJru
    -----END PGP SIGNATURE-----
     
    Michael Heiming, May 18, 2004
    #14
  15. Solution #4:

    98% of what you need to do you can do with an SSH connection, using
    whatever kind of "network plumbing" you already have in the
    environment. It requires that there be an sshd server on each box
    that accepts connections.

    The other 2% is for those cases where you need to do hardware
    reconfiguring that requires having access to BIOS. To do that, you'd
    need KVM over IP, and yes, that's likely to be pricey.

    If you type "ssh -X", then that will try to export your local X
    display connection across the wire so that you'll have something as
    equivalent to VNC as you can get. There is NO need to have an X
    server running in the server environment.

    Solution #5, which is relevant to "console" stuff on Real UNIX(tm)
    system:

    Modify #2 to have some sort of serial console server that connects to
    IP. That way, you telnet to the "console server" which then allows
    you to hook up to the serial consoles. No need for ANY phone line.
     
    Christopher Browne, May 18, 2004
    #15
  16. Keyboard-Video-Mouse. A KVM device accepts cables going to your
    keyboard, video, and mouse at one port. And it has 1-n additional sets
    of three ports for cables going to the respective input/output ports on
    each of 1-n computers. Buttons or key combinations allow you to
    reconnect the physical input/output devices to the various physical
    machines in your harem of faithful servers. Going into the bios is no
    problem via a KVM switch... unlike other "remote" solutions, and
    although this is a relatively rare requirement it does arise from time
    to time. KVM switches with IP capability provide similar functionality
    via the internet. The only problem is they're too expensive IMO. The
    prices that I've come across (so far) are roughly $400 per set of ports,
    ie $1600 for a kvm switch that will control 4 machines.
     
    George Patton, May 19, 2004
    #16
  17. The theory could be that if you're using IPSEC, it could be
    "automagically" wrapped with ooey-gooey cryptographic goodness.

    Alternatively, there's ssh.
    Alan Connor's some sort of curmudgeon that would probably prefer to
    write all his applications in assembly language, even though that
    would make them ludicrously non-portable...
     
    Christopher Browne, May 19, 2004
    #17
  18. Apart from networked UPS's and pricey specialized hardware that can be
    commanded to power up/down a bank of computers it wouldn't be too hard
    to build an array of smart switches or recepticals to shutoff power
    (after executing shutdown, of course). For instance, with a networked
    home automation board you could individually control the power feeds to
    computers in an entire building. The only caveat would be to install the
    the switching hardware in front of any surge protectors if your control
    switches use X10 protocol. And if you were to use a home automation
    board to control power you should go ahead and spend a $100 bucks or so
    to install video over IP in the remote computer room so you could make
    sure the rats aren't gnawing at the cables. :) But all this is
    overkill. Does anyone know where I can buy CHEAP kvm-ip gear?
     
    George Patton, May 19, 2004
    #18
  19. -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
    NotDashEscaped: You need GnuPG to verify this message

    Never heard about "networked home automation board"?
    You mean X11? There's no need at all, why do you want to limit
    yourself to X11?
    Those might be fine for windows, but even there you get "remote
    lights off" cards or alike enabling you to connect through a
    browser and turn off/on the box. Those can be used with Linux
    too, but then it's an overkill and the bad thing is you can't
    cut&paste text through the (java) browser GUI.

    --
    Michael Heiming (GPG-Key ID: 0xEDD27B94)
    mail: echo | perl -pe 'y/a-z/n-za-m/'
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.1 (GNU/Linux)

    iD8DBQFAqvdmAkPEju3Se5QRAgjvAJ9SFWWq89sDOUAZo/lCVPzD4G1GsACgzrdK
    zVfYCmygLN6nRWLpjuVnFMA=
    =Urrw
    -----END PGP SIGNATURE-----
     
    Michael Heiming, May 19, 2004
    #19
  20. No, I mean X10. Home automation boards are the consumer, mass produced,
    AFFORDABLE counterparts to lighting and electrical controller panels
    that have been used in highrise office buildings, factories, and
    hospitals for years to control lighting circuits, thermostats, and
    electrical relays. Their primary purpose is to allow lighting, HVAC,
    etc to be controlled automatically -- either on site or remotely. For
    example, using a web interface or data modem or telephone you might be
    able to use a home automation board to turn on/off all the lights in
    your home, let the dog out, open the garage for the UPS driver, etc,
    etc. This is accomplished via hard-wired control circuits (typically
    cat5) from the automation controller panel to light switches and
    recepticals or via a wireless protocol called X10 that travels over the
    NM ("Romex") circuits in modern buildings. X10 has been improved over
    the years since it was first invented, and now provides a cheap means of
    retrofitting older buildings with modern controls.

    For admins who manage older generation computers that can't be turned
    on/off remotely, a home automation board would provide a relatively
    inexpensive means of accomplishing this task. And there's an added
    bonus. Many home automation boards have pins for wiring up security
    devices, speaker intercoms, electric door latches, and video over IP...
    so you could remotely (via the web if necessary) open and close the door
    to the room housing your remote server farm and then watch and converse
    with the person who enters. Overkill for you? :) No problem, but
    this kind of thing is useful for some admins.
     
    George Patton, May 19, 2004
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.