Emergency Access to Server Console
Novell Cool Solutions: Trench
By Adam Pacchiana
Digg This -
Posted: 4 Sep 2001
Version: NetWare 5.x
I've come up with a Cool Solution which will allow others access to the Server Console in emergency situations without divulging the Admin password. This stems from our Corporate environment of having small remote offices supported by a central IT staff. In several instances, when I have lost the ability to connect to the server from RCONSOLE or RCONJ and need a local office manager to enter some commands on the server, I have had to either reboot the server or relay ADMIN equivalent passwords that subsequently needed to be changed. Here's a workaround:
In order for a user to be able to break the screensaver on a NetWare 5 server, they need supervisory rights to that server. You can create a normal user with no groupings or specific access other than the specific write right to "Object Trustees (ACL)" for the server object. (This in turn gives supervisory right to all the server directories, normally undesireable.) Then limit the user's concurrent logins to one, and network address restrictions to that of the server (IP or IPX). This user will not be able to login anywhere except the Server console and the username and password can be relayed to a local representative and subsequently changed with little effort.
If you have any questions you may contact Adam at firstname.lastname@example.org
While Adam's idea is a good one it could leave a backdoor for the authenticated user to use Toolbox.nlm to cause some mischief. This fix will also fail if NDS is hosed on the server or not able to authenticate to a replica where the userid exists.
We have recently begun using SSLock from http://www.dreamlan.com. It solves all the limitations that Scrsaver.nlm has. You no longer have to have the Supervisor right to the server NCP object nor even the ACL right. SSLock will unlock the console based on a simple group membership. In addition it will log all access to the console via the system log. One of its greatest features is the ability to bypass NDS for console access if either NDS is hosed on the server or if the server is unable to contact a replica for authentication. In either case SSLock can generate a one-time key for emergency access, assuming you know a pin number which you designate during the install. With nearly 100 servers on our campus we have had to powerdown servers before when network links went down and we needed console access. This solves that problem and many others. So if you want a better alternative to Scrsaver.nlm take a look at SSLock.
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com