X-MimeOLE: Produced By Microsoft Exchange V6.5
Received: by onstor-exch02.onstor.net 
	id <01C76FF9.6DA9DC98@onstor-exch02.onstor.net>; Mon, 26 Mar 2007 15:52:28 -0700
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="----_=_NextPart_001_01C76FF9.6DA9DC98"
Content-class: urn:content-classes:message
Subject: RE: root/admin login via fp-ports
Date: Mon, 26 Mar 2007 15:52:27 -0700
Message-ID: <BB375AF679D4A34E9CA8DFA650E2B04E02FAE793@onstor-exch02.onstor.net>
In-Reply-To: <BB375AF679D4A34E9CA8DFA650E2B04E02F12BFB@onstor-exch02.onstor.net>
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
Thread-Topic: root/admin login via fp-ports
Thread-Index: AcdsxgQRMwTHQGNgQpK+6kdcdQp0zwAAbVrQAMxNSMA=
From: "Eric Barrett" <eric.barrett@onstor.com>
To: "Charissa Willard" <charissa.willard@onstor.com>,
	"Steffen Thuemmel" <steffen.thuemmel@onstor.com>
Cc: "dl-se" <dl-se@onstor.com>,
	"dl-cstech" <dl-cstech@onstor.com>

This is a multi-part message in MIME format.

------_=_NextPart_001_01C76FF9.6DA9DC98
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

It is currently possible to hack SSH so that customers can't access the =
system via the FP ports by running:
=20
mount -uw /
vim /etc/ssh/sshd_config        # note: NOT ssh_config!
=20
Then, anywhere in the file, add the lines:
=20
ListenAddress 10.0.0.1     # replace 10.0.0.1 with IP of sc1
ListenAddress 10.0.0.2     # replace 10.0.0.2 IP of sc2
=20
The two problems here are (1) it's not supported, and (2) it goes away =
after an upgrade (and thus may surprise the customer with a security =
vulnerability re-introduced at an undetermined future time).
=20

________________________________

From: Charissa Willard=20
Sent: Thursday, March 22, 2007 2:49 PM
To: Steffen Thuemmel
Cc: dl-se; dl-cstech
Subject: RE: root/admin login via fp-ports



Steffen,

=20

We have some customers that have setup a direct connect cluster where =
two nodes are directly connected via their SSC ports. In this =
configuration there is no SSC port available to serve as the management =
port, so we created the capability to use an FP port to manage the =
cluster.=20

=20

We have a request in to add the capability for a customer to disable =
management via the FP ports for the web-ui (TED00018016). There is =
currently no request in to limit access using ssh. We may want to =
recommend that a customer only connect to a mgmt vsvr. For one reason =
the mgmt vsvr is not protected so it won't move.=20

=20

-Charissa

=20

________________________________

From: Steffen Thuemmel=20
Sent: Thursday, March 22, 2007 2:07 PM
To: dl-se; dl-cstech
Subject: root/admin login via fp-ports

=20

I found out today, it is possible to login as admin or root via a vsvr =
ip-address (configured on a fp port). The management ports and the fp =
port are on totally different ip segments.

Why don't we suppress this ?  Isn't that a security risk ? I was telling =
all my prospects that the sc and fp ports are totally separated.

=20

Thanks,

St.

=20

Steffen Thuemmel=20

Manager Systems Engineering CE

=20

telf.      +49 6102 884 84-0

mobil.     +49 173 673 3434

mail.       steffen.thuemmel@onstor.com

=20

ONStor GmbH

Schleussner Str. 42

D-63263 Neu-Isenburg

Germany

=20

HR-B: 42402 AG Offenbach am Main;=20

USt.-ID: DE 249 472 495

Gesch=E4ftsf=FChrer: Roland Voelskow

=20


------_=_NextPart_001_01C76FF9.6DA9DC98
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML xmlns=3D"http://www.w3.org/TR/REC-html40" xmlns:v =3D=20
"urn:schemas-microsoft-com:vml" xmlns:o =3D=20
"urn:schemas-microsoft-com:office:office" xmlns:w =3D=20
"urn:schemas-microsoft-com:office:word" xmlns:st1 =3D=20
"urn:schemas-microsoft-com:office:smarttags" xmlns:ns1 =3D=20
"http://schemas.microsoft.com/office/2004/12/omml"><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2900.3059" name=3DGENERATOR><!--[if !mso]>
<STYLE>v\:* {
	BEHAVIOR: url(#default#VML)
}
o\:* {
	BEHAVIOR: url(#default#VML)
}
w\:* {
	BEHAVIOR: url(#default#VML)
}
.shape {
	BEHAVIOR: url(#default#VML)
}
</STYLE>
<![endif]--><o:SmartTagType name=3D"PersonName"=20
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"></o:SmartTagT=
ype><!--[if !mso]>
<STYLE>st1\:* {
	BEHAVIOR: url(#default#ieooui)
}
</STYLE>
<![endif]-->
<STYLE>@font-face {
	font-family: Tahoma;
}
@font-face {
	font-family: Calibri;
}
@page Section1 {size: 8.5in 11.0in; margin: 70.85pt 70.85pt 56.7pt =
70.85pt; }
A:link {
	mso-style-priority: 99
}
SPAN.MSOHYPERLINK {
	mso-style-priority: 99
}
A:visited {
	mso-style-priority: 99
}
SPAN.MSOHYPERLINKFOLLOWED {
	mso-style-priority: 99
}
P.MsoNormal {
	FONT-SIZE: 11pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: Calibri
}
LI.MsoNormal {
	FONT-SIZE: 11pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: Calibri
}
DIV.MsoNormal {
	FONT-SIZE: 11pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: Calibri
}
A:link {
	COLOR: blue; TEXT-DECORATION: underline
}
SPAN.MsoHyperlink {
	COLOR: blue; TEXT-DECORATION: underline
}
A:visited {
	COLOR: purple; TEXT-DECORATION: underline
}
SPAN.MsoHyperlinkFollowed {
	COLOR: purple; TEXT-DECORATION: underline
}
SPAN.EmailStyle17 {
	COLOR: windowtext; FONT-FAMILY: Calibri; mso-style-type: personal
}
SPAN.EmailStyle18 {
	FONT-WEIGHT: normal; COLOR: windowtext; FONT-STYLE: normal; =
FONT-FAMILY: "Courier New"; TEXT-DECORATION: none; mso-style-type: =
personal-reply
}
DIV.Section1 {
	page: Section1
}
</STYLE>
<!--[if gte mso 9]><xml>
 <o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
 <o:shapelayout v:ext=3D"edit">
  <o:idmap v:ext=3D"edit" data=3D"1" />
 </o:shapelayout></xml><![endif]--></HEAD>
<BODY lang=3DEN-US vLink=3Dpurple link=3Dblue>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D906544822-26032007><FONT =
face=3DArial=20
color=3D#0000ff size=3D2>It is currently possible to hack SSH so that =
customers=20
can't access the system via the FP ports by running:</FONT></SPAN></DIV>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D906544822-26032007><FONT =
face=3DArial=20
color=3D#0000ff size=3D2></FONT></SPAN>&nbsp;</DIV>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D906544822-26032007><FONT =
face=3DArial=20
color=3D#0000ff size=3D2><STRONG>mount -uw =
/</STRONG></FONT></SPAN></DIV>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D906544822-26032007><FONT =
face=3DArial=20
color=3D#0000ff size=3D2><STRONG>vim=20
/etc/ssh/sshd_config</STRONG>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
# note:=20
NOT ssh_config!</FONT></SPAN></DIV>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D906544822-26032007><FONT =
face=3DArial=20
color=3D#0000ff size=3D2></FONT></SPAN>&nbsp;</DIV>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D906544822-26032007><FONT =
face=3DArial=20
color=3D#0000ff size=3D2>Then, anywhere in the file,&nbsp;add the=20
lines:</FONT></SPAN></DIV>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D906544822-26032007><FONT =
face=3DArial=20
color=3D#0000ff size=3D2></FONT></SPAN>&nbsp;</DIV>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D906544822-26032007><FONT =
face=3DArial=20
color=3D#0000ff size=3D2><STRONG>ListenAddress=20
10.0.0.1</STRONG>&nbsp;&nbsp;&nbsp;&nbsp; # replace 10.0.0.1 with IP of=20
sc1</FONT></SPAN></DIV>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D906544822-26032007><FONT =
face=3DArial=20
color=3D#0000ff size=3D2><STRONG>ListenAddress=20
10.0.0.2</STRONG>&nbsp;&nbsp;&nbsp;&nbsp; # replace 10.0.0.2 IP of=20
sc2</FONT></SPAN></DIV>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D906544822-26032007><FONT =
face=3DArial=20
color=3D#0000ff size=3D2></FONT></SPAN>&nbsp;</DIV>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D906544822-26032007><FONT =
face=3DArial=20
color=3D#0000ff size=3D2>The two problems here are (1) it's not =
supported, and (2)=20
it goes away after an upgrade (and thus may surprise the customer with a =

security vulnerability re-introduced at an undetermined future=20
time).</FONT></SPAN></DIV>
<DIV dir=3Dltr align=3Dleft><SPAN =
class=3D906544822-26032007></SPAN><SPAN=20
class=3D906544822-26032007><FONT face=3DArial color=3D#0000ff=20
size=3D2></FONT></SPAN>&nbsp;</DIV><BR>
<DIV class=3DOutlookMessageHeader lang=3Den-us dir=3Dltr align=3Dleft>
<HR tabIndex=3D-1>
<FONT face=3DTahoma size=3D2><B>From:</B> Charissa Willard =
<BR><B>Sent:</B>=20
Thursday, March 22, 2007 2:49 PM<BR><B>To:</B> Steffen =
Thuemmel<BR><B>Cc:</B>=20
dl-se; dl-cstech<BR><B>Subject:</B> RE: root/admin login via=20
fp-ports<BR></FONT><BR></DIV>
<DIV></DIV>
<DIV class=3DSection1>
<P class=3DMsoNormal><FONT face=3D"Courier New" size=3D1><SPAN=20
style=3D"FONT-SIZE: 9pt; FONT-FAMILY: 'Courier =
New'">Steffen,<o:p></o:p></SPAN></FONT></P>
<P class=3DMsoNormal><FONT face=3D"Courier New" size=3D1><SPAN=20
style=3D"FONT-SIZE: 9pt; FONT-FAMILY: 'Courier =
New'"><o:p>&nbsp;</o:p></SPAN></FONT></P>
<P class=3DMsoNormal><FONT face=3D"Courier New" size=3D1><SPAN=20
style=3D"FONT-SIZE: 9pt; FONT-FAMILY: 'Courier New'">We have some =
customers that=20
have setup a direct connect cluster where two nodes are directly =
connected via=20
their SSC ports. In this configuration there is no SSC port available to =
serve=20
as the management port, so we created the capability to use an FP port =
to manage=20
the cluster. <o:p></o:p></SPAN></FONT></P>
<P class=3DMsoNormal><FONT face=3D"Courier New" size=3D1><SPAN=20
style=3D"FONT-SIZE: 9pt; FONT-FAMILY: 'Courier =
New'"><o:p>&nbsp;</o:p></SPAN></FONT></P>
<P class=3DMsoNormal><FONT face=3D"Courier New" size=3D1><SPAN=20
style=3D"FONT-SIZE: 9pt; FONT-FAMILY: 'Courier New'">We have a request =
in to add=20
the capability for a customer to disable management via the FP ports for =
the=20
web-ui (TED00018016). There is currently no request in to limit access =
using=20
ssh. We may want to recommend that a customer only connect to a mgmt =
vsvr. For=20
one reason the mgmt vsvr is not protected so it won=92t move.=20
<o:p></o:p></SPAN></FONT></P>
<P class=3DMsoNormal><FONT face=3D"Courier New" size=3D1><SPAN=20
style=3D"FONT-SIZE: 9pt; FONT-FAMILY: 'Courier =
New'"><o:p>&nbsp;</o:p></SPAN></FONT></P>
<P class=3DMsoNormal><FONT face=3D"Courier New" size=3D1><SPAN=20
style=3D"FONT-SIZE: 9pt; FONT-FAMILY: 'Courier =
New'">-Charissa<o:p></o:p></SPAN></FONT></P>
<P class=3DMsoNormal><FONT face=3D"Courier New" size=3D1><SPAN=20
style=3D"FONT-SIZE: 9pt; FONT-FAMILY: 'Courier =
New'"><o:p>&nbsp;</o:p></SPAN></FONT></P>
<DIV>
<DIV class=3DMsoNormal style=3D"TEXT-ALIGN: center" align=3Dcenter><FONT =

face=3D"Times New Roman" size=3D3><SPAN=20
style=3D"FONT-SIZE: 12pt; FONT-FAMILY: 'Times New Roman'">
<HR tabIndex=3D-1 align=3Dcenter width=3D"100%" SIZE=3D2>
</SPAN></FONT></DIV>
<P class=3DMsoNormal><B><FONT face=3DTahoma size=3D2><SPAN=20
style=3D"FONT-WEIGHT: bold; FONT-SIZE: 10pt; FONT-FAMILY: =
Tahoma">From:</SPAN></FONT></B><FONT=20
face=3DTahoma size=3D2><SPAN style=3D"FONT-SIZE: 10pt; FONT-FAMILY: =
Tahoma">=20
<st1:PersonName w:st=3D"on">Steffen Thuemmel</st1:PersonName> =
<BR><B><SPAN=20
style=3D"FONT-WEIGHT: bold">Sent:</SPAN></B> Thursday, March 22, 2007 =
2:07=20
PM<BR><B><SPAN style=3D"FONT-WEIGHT: bold">To:</SPAN></B> dl-se;=20
dl-cstech<BR><B><SPAN style=3D"FONT-WEIGHT: bold">Subject:</SPAN></B> =
root/admin=20
login via fp-ports</SPAN></FONT><FONT face=3D"Times New Roman" =
size=3D3><SPAN=20
style=3D"FONT-SIZE: 12pt; FONT-FAMILY: 'Times New =
Roman'"><o:p></o:p></SPAN></FONT></P></DIV>
<P class=3DMsoNormal><FONT face=3DCalibri size=3D2><SPAN=20
style=3D"FONT-SIZE: 11pt"><o:p>&nbsp;</o:p></SPAN></FONT></P>
<P class=3DMsoNormal><FONT face=3DCalibri size=3D2><SPAN =
style=3D"FONT-SIZE: 11pt">I=20
found out today, it is possible to login as admin or root via a vsvr =
ip-address=20
(configured on a fp port). The management ports and the fp port are on =
totally=20
different ip segments.<o:p></o:p></SPAN></FONT></P>
<P class=3DMsoNormal><FONT face=3DCalibri size=3D2><SPAN =
style=3D"FONT-SIZE: 11pt">Why=20
don=92t we suppress this ? &nbsp;Isn=92t that a security risk ? I was =
telling all my=20
prospects that the sc and fp ports are totally=20
separated.<o:p></o:p></SPAN></FONT></P>
<P class=3DMsoNormal><FONT face=3DCalibri size=3D2><SPAN=20
style=3D"FONT-SIZE: 11pt"><o:p>&nbsp;</o:p></SPAN></FONT></P>
<P class=3DMsoNormal><FONT face=3DCalibri size=3D2><SPAN=20
style=3D"FONT-SIZE: 11pt">Thanks,<o:p></o:p></SPAN></FONT></P>
<P class=3DMsoNormal><FONT face=3DCalibri size=3D2><SPAN=20
style=3D"FONT-SIZE: 11pt">St.<o:p></o:p></SPAN></FONT></P>
<P class=3DMsoNormal><FONT face=3DCalibri size=3D2><SPAN=20
style=3D"FONT-SIZE: 11pt"><o:p>&nbsp;</o:p></SPAN></FONT></P>
<P class=3DMsoNormal><st1:PersonName w:st=3D"on"><B><FONT face=3DCalibri =
size=3D2><SPAN=20
style=3D"FONT-WEIGHT: bold; FONT-SIZE: 10pt">Steffen=20
Thuemmel</SPAN></FONT></B></st1:PersonName><B><FONT size=3D2><SPAN=20
style=3D"FONT-WEIGHT: bold; FONT-SIZE: 10pt"> </SPAN></FONT></B><B><FONT =

face=3D"Times New Roman" size=3D2><SPAN=20
style=3D"FONT-WEIGHT: bold; FONT-SIZE: 10pt; FONT-FAMILY: 'Times New =
Roman'"><o:p></o:p></SPAN></FONT></B></P>
<P class=3DMsoNormal><FONT face=3DCalibri size=3D2><SPAN=20
style=3D"FONT-SIZE: 10pt">Manager Systems Engineering =
CE</SPAN></FONT><FONT=20
size=3D3><SPAN style=3D"FONT-SIZE: 12pt"><o:p></o:p></SPAN></FONT></P>
<P class=3DMsoNormal><FONT face=3DCalibri size=3D2><SPAN=20
style=3D"FONT-SIZE: 11pt"><o:p>&nbsp;</o:p></SPAN></FONT></P>
<P class=3DMsoNormal><B><FONT face=3DTahoma size=3D1><SPAN=20
style=3D"FONT-WEIGHT: bold; FONT-SIZE: 8pt; FONT-FAMILY: =
Tahoma">telf.</SPAN></FONT></B><B><FONT=20
face=3DTahoma size=3D2><SPAN=20
style=3D"FONT-WEIGHT: bold; FONT-SIZE: 10pt; FONT-FAMILY: =
Tahoma">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
</SPAN></FONT></B><B><FONT face=3DTahoma size=3D1><SPAN=20
style=3D"FONT-WEIGHT: bold; FONT-SIZE: 7.5pt; FONT-FAMILY: Tahoma">+49 =
6102 884=20
84-0</SPAN></FONT></B><B><FONT face=3DTahoma size=3D1><SPAN=20
style=3D"FONT-WEIGHT: bold; FONT-SIZE: 8pt; FONT-FAMILY: =
Tahoma"><o:p></o:p></SPAN></FONT></B></P>
<P class=3DMsoNormal><B><FONT face=3DTahoma size=3D1><SPAN=20
style=3D"FONT-WEIGHT: bold; FONT-SIZE: 8pt; FONT-FAMILY: Tahoma">mobil.=20
&nbsp;&nbsp;&nbsp; </SPAN></FONT></B><B><FONT face=3DTahoma =
size=3D1><SPAN=20
style=3D"FONT-WEIGHT: bold; FONT-SIZE: 7.5pt; FONT-FAMILY: Tahoma">+49 =
173 673=20
3434<o:p></o:p></SPAN></FONT></B></P>
<P class=3DMsoNormal><B><FONT face=3DTahoma size=3D1><SPAN lang=3DFR=20
style=3D"FONT-WEIGHT: bold; FONT-SIZE: 8pt; FONT-FAMILY: =
Tahoma">mail.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
<A=20
href=3D"mailto:steffen.thuemmel@onstor.com">steffen.thuemmel@onstor.com</=
A></SPAN></FONT></B><FONT=20
face=3D"Times New Roman" size=3D3><SPAN=20
style=3D"FONT-SIZE: 12pt; FONT-FAMILY: 'Times New =
Roman'"><o:p></o:p></SPAN></FONT></P>
<P class=3DMsoNormal><FONT face=3DCalibri size=3D2><SPAN=20
style=3D"FONT-SIZE: 11pt">&nbsp;</SPAN></FONT><B><FONT face=3DTahoma =
size=3D1><SPAN=20
lang=3DFR=20
style=3D"FONT-WEIGHT: bold; FONT-SIZE: 8pt; FONT-FAMILY: =
Tahoma"><o:p></o:p></SPAN></FONT></B></P>
<P class=3DMsoNormal><B><FONT face=3DTahoma color=3D#1f497d =
size=3D1><SPAN lang=3DDE=20
style=3D"FONT-WEIGHT: bold; FONT-SIZE: 8pt; COLOR: #1f497d; FONT-FAMILY: =
Tahoma">ONStor=20
GmbH<o:p></o:p></SPAN></FONT></B></P>
<P class=3DMsoNormal><FONT face=3DTahoma size=3D1><SPAN lang=3DDE=20
style=3D"FONT-SIZE: 8pt; FONT-FAMILY: Tahoma">Schleussner Str.=20
42<o:p></o:p></SPAN></FONT></P>
<P class=3DMsoNormal><FONT face=3DTahoma size=3D1><SPAN lang=3DDE=20
style=3D"FONT-SIZE: 8pt; FONT-FAMILY: Tahoma">D-63263=20
Neu-Isenburg<o:p></o:p></SPAN></FONT></P>
<P class=3DMsoNormal><FONT face=3DTahoma size=3D1><SPAN lang=3DDE=20
style=3D"FONT-SIZE: 8pt; FONT-FAMILY: Tahoma">Germany</SPAN></FONT><FONT =

face=3D"Times New Roman" size=3D3><SPAN lang=3DDE=20
style=3D"FONT-SIZE: 12pt; FONT-FAMILY: 'Times New =
Roman'"><o:p></o:p></SPAN></FONT></P>
<P class=3DMsoNormal><FONT face=3DCalibri size=3D2><SPAN lang=3DDE=20
style=3D"FONT-SIZE: 11pt">&nbsp;<o:p></o:p></SPAN></FONT></P>
<P class=3DMsoNormal><FONT face=3DArial size=3D1><SPAN lang=3DDE=20
style=3D"FONT-SIZE: 7.5pt; FONT-FAMILY: Arial">HR-B: 42402 AG Offenbach =
am Main;=20
<o:p></o:p></SPAN></FONT></P>
<P class=3DMsoNormal><FONT face=3DArial size=3D1><SPAN lang=3DDE=20
style=3D"FONT-SIZE: 7.5pt; FONT-FAMILY: Arial">USt.-ID: DE 249 472=20
495<o:p></o:p></SPAN></FONT></P>
<P class=3DMsoNormal><FONT face=3DArial size=3D1><SPAN lang=3DDE=20
style=3D"FONT-SIZE: 7.5pt; FONT-FAMILY: Arial">Gesch=E4ftsf=FChrer: =
Roland=20
Voelskow</SPAN></FONT><FONT face=3D"Times New Roman" size=3D3><SPAN =
lang=3DDE=20
style=3D"FONT-SIZE: 12pt; FONT-FAMILY: 'Times New =
Roman'"><o:p></o:p></SPAN></FONT></P>
<P class=3DMsoNormal><FONT face=3DCalibri size=3D2><SPAN lang=3DDE=20
style=3D"FONT-SIZE: =
11pt"><o:p>&nbsp;</o:p></SPAN></FONT></P></DIV></BODY></HTML>

------_=_NextPart_001_01C76FF9.6DA9DC98--
