|
Patch 4038 : IRISconsole 2.0 docs and security fix :
[IRIX 6.5.9m 6.5.9f 6.5.8m 6.5.8f 6.5.7m 6.5.7f 6.5.6m 6.5.6f 6.5.5m
6.5.5f 6.5.4m 6.5.4f 6.5.3m 6.5.3f 6.5.2m 6.5.2f 6.5.1 6.5 6.3 6.2]
INDEX
RELATIONS
RELEASE NOTES
1. Patch SG0004038 Release Note
This release note describes patch SG0004038 to IRIX 6.5.x,
6.3 and 6.2.
1.1 Supported Hardware Platforms
This patch contains bug fixes for IP22, IP30, and IP32. The
software should not be installed on other configurations.
1.2 Supported Software Platforms
This patch contains bug fixes for IRISconsole (2.0) on a
system running all versions of 6.5.x, 6.3 and 6.2. The
software should not be installed on other configurations.
1.3 Bugs Fixed by Patch SG0004038
This patch contains fixes for the following bugs in IRIX
6.5.x, 6.3 and 6.2. Bug numbers from Silicon Graphics bug
tracking system are included for reference.
Bug #801250-IRIXConsole 2.0 does not recognize EL-8P
terminal server
Patch 3943:
Fixes:
Bug #784455-devices not being made during inst
Bug #786838-icallow and icdeny do not work per man
page
Bug #787405-does not support ST-1616B with new
vendorid
Bug #788664-incorrect permissions on iclogin command
Bug #789183-iclogin does not handle "NA" as syscon
port
Bug #792335-icadmins logging in with wrong passwords
Replaces and rolls up:
Patch 3716, which fixes:
Bug #753214-ic fails on ST-1600 and Indy
Bug #758765-'icpass' core dumps
Bug #763990-icallow has wrong directory path
Bug #765150-connection 'idle' time is incorrect
Bug #765901-iclogin does not have new
icallow/icdeny feature
1.4 Subsystems Included in Patch SG0004038
This patch release includes these subsystems:
o patchSG0004038.IRISconsole_sw
1.5 Installation Instructions
Because you want to install only the patches for problems
you have encountered, patch software is not installed by
default. After reading the descriptions of the bugs fixed
in this patch (see Section 1.3), determine the patches that
meet your specific needs.
If, after reading Sections 1.1 and 1.2 of these release
notes, you are unsure whether your hardware and software
meet the requirements for installing a particular patch, run
inst. The inst program does not allow you to install
patches that are incompatible with your hardware or
software.
Patch software is installed like any other Silicon Graphics
software product. Follow the instructions in your Software
Installation Administrator's Guide to bring up the miniroot
form of the software installation tools.
Follow these steps to select a patch for installation:
1. At the Inst> prompt, type
install patchSGxxxxxxx
where xxxxxxx is the patch number.
2. Initiate the installation sequence. Type
Inst> go
3. You may find that two patches have been marked as
incompatible. (The installation tools reject an
installation request if an incompatibility is
detected.) If this occurs, you must deselect one of
the patches.
Inst> keep patchSGxxxxxxx
where xxxxxxx is the patch number.
4. After completing the installation process, exit the
inst program by typing
Inst> quit
1.6 Patch Removal Instructions
To remove a patch, use the versions remove command as you
would for any other software subsystem. The removal process
reinstates the original version of software unless you have
specifically removed the patch history from your system.
versions remove patchSGxxxxxxx
where xxxxxxx is the patch number.
To keep a patch but increase your disk space, use the
versions removehist command to remove the patch history.
versions removehist patchSGxxxxxxx
where xxxxxxx is the patch number.
1.7 Known Problems
2. Installation_Information
The IRISconsole 2.0 product contains software for managing
groups of Challenge/Onyx, Origin 200/2000 installations.
Please refer to the IRISconsole Administrator's Guide book
for help in customizing the software for individual sites.
The IRISconsole software should be installed on IRIX
operating system release 6.5 (or later).
2.1 IRISconsole_2.0_Subsystems
IRISconsole contains the following subsystems:
IRISconsole.sw.base IRISconsole Base Software,
including the tcl/motif
Graphical User Interface.
IRISconsole.sw.remoteaccess Remote Access Capabilities
based on telnet
IRISconsole.sw.tcllink IRISconsole Tcl software
IRISconsole.man.man Manual pages for IRISconsole
IRISconsole.man.relnotes Release Notes for IRISconsole
2.0
IRISconsole.books.IRISconsole_AG Online IRISconsole
Administrator's Guide
IRISconsole.books.MUX_IG The IRISconsole Multiplexer
Installation Guide
It is necessary to install at least sgitcl_eoe.sw.base and
sgitcl_eoe.sw.tm for IRIX 6.5 from the sgitcl software
included on the CD. IRISconsole also requires sts.sw and/or
el_serial.sw. If installing both multiplexers you must
install the el_serial.sw before installing the sts.sw.
2.2 Customization_and_Files
2.2.1 Access_Control IRISconsole is equipped with a simple
but effective access control mechanism. It recognizes two
types of users, icadmins (administrators) and icusers
(regular non-admin users). Before starting /usr/sbin/ic it
is necessary to configure these into the IRISconsole
password database. At the very least, you must add at least
one administrator by using /usr/sbin/icpass -add icadmin.
This is because security is switched on by default, and you
will not be able to add sites and systems to configure the
IRISconsole without an icadmin login and password. Only
root can add icadmins, and only icadmins can add/delete
icusers. Only icadmins can delete another icadmin entry.
The base IRISconsole requires no configuration files such as
/etc/uucp/* entries to connect to the attached systems. For
serial communication through SCSI or Ethernet Multiplexer,
IRISconsole uses a direct connect protocol that requires no
preconfiguration.
IRISconsole uses files to either allow or deny access to
particular systems within a site. These files are icallow
and icdeny. They are located in the /usr/IRISconsole/adm
directory. Each entry in these file has the following
format:
<user_id> : <site_name> : <system_name> [, <system_name> ]
The icallow and icdeny files work like the allow and deny functionality of the cron command.
If the entry is in the icallow file, user user_id is allowed
access to the system site_name : system_name. If the entry is in the icdeny file,
that user is denied access to that system.
If both the icallow and icdeny files contain entries, then only the
entry in the icallow file is used.
2.2.2 Remote_Access_Installation IRISconsole remote access
is a telnet(1C) based facility that lets users perform a
subset of the functionalities available through the
IRISconsole main GUI remotely over a network. It includes
ictelnet(1), that helps users connect to a known port on the
IRISconsole host. It depends on an ictelnetd service running
on the host workstation (OCTANE, O2, or Indy) listening on
the specific port. The port number should be the port
number value for ictelnet services in the /etc/services
file. For the port number, use any number between 5000 and
5063; the number 5000 is recommended for the status port.
Once successfully connected, ictelnetd invokes IRISconsole's
iclogin subsystem to verify user's 'IRISconsole Login:' and
password.
To configure a port on the IRISconsole system so that
ictelnet communicates directly to the IRISconsole
application, edit the file /etc/services on that system to
include the following line, which specifies the port on
which the service is available:
ictelnet 5000/tcp # IRISconsole Remote Access
Edit the file /etc/inetd.conf on the IRISconsole system to include this line:
ictelnet stream tcp nowait root /usr/IRISconsole/bin/ictelnetd ictelnetd
Then, tell inetd to reread the file with the command:
/etc/killall -HUP inetd
Note To connect to port 5000 of the IRISconsole machine
you may use standard telnet or /usr/sbin/ictelnet
which is an alias for /usr/bsd/telnet -l $USER.
2.2.3 IRISconsole_Conversion_Script
The IRISconsole 2.0 release uses a database introduced in
the IRISconsole 1.3 release to store site and system
information. The icdbcnvrt command is run by installation
software to convert site and system information from the
IRISconsole 1.2 or 1.3 release to the IRISconsole 2.0
release.
2.2.4 IRISconsole_Partitioned_System_Support
If you plan to use the Partitoned System functions within
IRISconsole please contact your nearest SGI representative.
2.2.5 IRISconsole_and_SGI_Electronic_Services
For customers who have purchased escall through the Support
Advantage Electronic Services package in North America,
IRISconsole can be used to forward requests to SGI and to
update their requests from SGI.
escall uses the environment variable CALLSVR to forward
messages to SGI. If it is not set, escall uses "localhost"
as the callsvr.
All requests require the serial number of the machine. The
machine must have been registered with Electronics Services.
For additional information, please contact your nearest SGI
representative.
3. Known_Problems_and_Workarounds
This chapter discusses known problems in IRISconsole 2.0,
and ways to work around them.
o If your site has purchased a new ST-1616 multiplexer,
you must check the version number of the firmware to
determine whether the multiplexer requires new SCSI
drivers from Digi International, Inc.
Enter the following command:
cdscanbus
Look at the right most field of the output entry that shows
the ST-1616 multiplexer.
If the version is anything greater than 'V7.0', you will need the new
SCSI drivers from Digi International, Inc., at the following Web page:
http://support.digi.com/support/drivers/irix/index.html#SCSI
Once at this page, click on the *.sis (currently 4002072A.sis)
and follow the directions to install the new SCSI driver images.
o Devices are not made when loading IRISconsole software.
If you install IRISconsole software and then attempt to configure your
system and use IRISconsole and do not run the cdmknods command,
you may receive an error message similar to the following:
/dev/ttyd055 no such device
If you encounter this problem, run the following commands:
rm -f /dev/tty[mfd]???
then
cdmknods
The rm command removes any existing device nodes.
The cdmknods command is run to make the device nodes
associated with your system.
The cdmknods simplifies and automates
the process of making device nodes for Digi International scsiTerminalServer
and EtherLite(R) Terminal Server products.
It may be used to make single nodes with specific features,
to generate all the necessary nodes for a particular product,
or to make nodes for all scsiTerminal Server products
found on a particular system. See the cdmknods(1) man page for more information.
o The cdscanbus binary located in /sbin directory and installed on IRIX 6.5.x systems
does not have its permissions set correctly for IRISconsole to operate normally.
When IRISconsole is installed with the inst command along with other
images, you must manually change
the permissions on the cdscanbus binary to 4555 using the following command:
chmod 4555 /sbin/cdscanbus
If you do not change the permissions to 4555, non-root users of the
ic command will not be able to bring up IRISconsole with multiplexers attached.
o Console activity gets logged only as long as the device is left connected
or the syslogd remote logging is enabled on the server. See "Storing
System Log Information" in the IRISconsole
Administrator's Guide, 007-2872-004, for more information on syslogd
remote logging.
o IRISconsole 2.0 does not contain a mechanism to automatically detect system
failures outside of what is detected and triggered by Hardware Status Monitor
and its alarm thresholds.
o Similar to standard login(1), IRISconsole logs unsuccessful login attempts to
a 'badlogins' file. This file resides in /var/IRISconsole/adm/badlogin/
badlogins, and is configured to log after three failed attempts.
It is important that all files and directories in
the path /var/IRISconsole/adm/* be owned by root and kept under 0600 permissions.
However, these badlogins are done only in the case of remote access via telnet.
When using icpass(1C), badlogins file is not updated.
Similar to login(1), no badlogin will be done unless the file /var/IRISconsole/
adm/badlogin/badlogins exists.
o IRISconsole does not distinguish when a connected system is at its system prom.
Since hardware flow control is disabled at the system prom, to avoid confusion,
IRISconsole 2.0 does not use hardware flow control at all.
o When adding logins and passwords to the IRISconsole password database,
users are not prompted to enter their new password twice. This can create
problems if the password was mistyped. If you realize that the password was
mistyped, an icadmin password holder can delete your entry from the password
database
o All options under Monitor in the site window require networking between
IRISconsole host and the managed system. Since IRISconsole executes rsh commands
it is also possible to flood the SYSLOG of the managed system with messages
if it logs all rsh requests.
o Show Syslog lets users view syslog using /usr/sbin/sysmon,
but the Update button of sysmon does not work. that is, it
doesn't get the latest version of syslog from the managed system.
It is necessary to quit sysmon and reselect Show Syslog each time,
unless the syslogd remote logging is enabled on the server.
o All the customization of styles done in Hardware Status Monitor are
non-persistent; they'll last only as long as the particular graph does.
o In the Hardware Status Monitor, when the alarms log is present,
deleting and adding graphs may alter the sizes of existing graphs.
It may be necessary to readjust their sizes manually.
o Some sub-applications that are spawned (for example, Console windows) do not exit
when the user quits the application. They have to be exitted manually; in the
case of a telnet session, use the ESC sequence Ctrl-] Ctrl-\.
o While it is possible to use utilities like cu(1C) to communicate over the serial
line, it is discouraged. IRISconsole can interoperate with cu as far as
locking is concerned, but it is not possible to find other information like
the idle time on a device if cu is used. However, the simple direct connect
protocol used by IRISconsole does not have commands to send or receive files
over a serial line.
o The Spy Console xwsh window does not exit itself when the line that it is
spying on gets disconnected. Users have to kill it manually using Ctrl-C.
o The log files in /var/IRISconsole/logs can eventually occupy a significant
amount of space. They should periodically be compressed and archived.
o The IRISconsole Administrator's Guide makes several references to the ST-1600
Multiplexer. The ST-1616, ST-1620, and ST-1032 Multiplexers
are interchangeable with the ST-1600 throughout the book.
o IRISconsole recognizes ST-1600/1616/1620/1032 multiplexers on all SCSI busses.
You may pick any bus when installing multiplexer(s).
INST SUBSYSTEM REQUIREMENTS No Requirements Information Available. INST SUBSYSTEM CHECKSUMS These checksums help to provide a 'signature' for the patch inst image which can be used to authenticate other inst images. You can obtain this kind of output by running sum -r on the image (from the command line): 27613 34 patch/README.patch.4038 44486 4 patchSG0004038.idb 24783 2 patchSG0004038 INST SUBSYSTEM FILE LISTINGS The following lists the files which get installed from each subsystem in the patch:
DOWNLOAD PATCH
|
||||||||||||||||||||||||||||||||||||
Document Id: 20021117075908-IRIXPatch-1414
|
||||||||||||||||||||||||||||||||||||