[SDBUG] Remote power management recommendation

Joseph A. Kitzman joseph at kitzman.org
Fri Dec 22 00:17:26 PST 2006 

If you don't want to pay for a signed SSL certificate, then you need to
generate a self signed certificate.  Using OpenSSL (to name one of a few),
you can easily generate a self signed certificate for pretty much any
service that will utilize it.
-OR-
You could go get a certificate signed for free from a company like
http://www.cacert.org/ -- I'm not sure how mainstream they are, but I like
where they're going with their project.
-OR-
If you're a really crazy super mega deluxe systems admin, you can build your
own Certificate Authority for your local machines to utilize.  Don't even
try this unless you know the ropes.

For the record, I buy my cheap certificates from Network Solutions
(www.netsolssl.com) for $129 a year.  When I need to roll out certificates
on a higher visibility site, I'll go to the expense of using a VeriSign
(www.verisign.com) certificate.  Why you ask? The logo. I pay $1000 more a
year for a stupid little logo that everybody and their mother has come to
recognize as the standard for internet SSL encryption.  Who knows if they
even click on it or know what it means, but it sure brings about the warm
fuzzies and that keeps me employed.

I don't really have the time nor the desire to demystify PKI for you, but
you can easily learn from the various docs and HOWTOs out there.  Here's a
few sites from my bookmarks that you may enjoy:

http://sial.org/howto/openssl/
https://www.netsolssl.com/support/index.html
https://www.netsolssl.com/support/install/index.php
And the obligatory:
http://www.justfuckinggoogleit.com/


--

NOW, to the RS232/telnet/ssh debate... my short comment is "security might
not be so important here".  Somewhere a security elitest just cried out in
pain, but my view on remote power switches may differ from that of other
admins.


In my professional opinion, remote power switches are out of band devices.
This type of device doesn't always need an IP address to be useful,
certainly not a routable address.  Plain and simple, they exist to cover
your own ass.  You dial your modem directly into them or into an oob router
and bounce your server. Scenarios where they've come in handy for me:

1. Pushing live a fubar border router config at 3AM.  Bounce the router to
load the previous config.
2. Kernel panic.  Waking the remote datacenter technician in the middle of
the night is going to rack up a $100 charge.
3. A friend decides to test a new forkbomb on your server in Virginia while
you're on a 3 day bender in Las Vegas.

The list goes on.

The devices with the IKE-IPSEC HTTPS 3DES TWOFISH AES DES Java applet are
fun, but they generally come with a hell of a price tag.  Great for watching
your load and compiling any statistic you could possibly want, but that's
not always going to be of key importance.  It all really depends on your
use.  Small project/Big project. Patchwork servers/Clusters. Penny
pinchers/Big Budget.

Tell me more about your needs, your power draw, and your setup and I'll make
a better recommendation for a power switch.

---

Oh, and Peter, "man 4 random".  Lots of good info in there.



> -----Original Message-----
> From: sdbug-bounces at sdbug.org [mailto:sdbug-bounces at sdbug.org] On Behalf
> Of Peter Leftwich
> Sent: Thursday, December 21, 2006 10:25 PM
> To: SDBUG
> Subject: Re: [SDBUG] Remote power management recommendation
> 
> On Thu, 21 Dec 2006, Bill Studenmund wrote:
> > Unfortunately all of the devices I'm aware of don't do ssh. If they do
> > more than telnet (which they should!), they go for http or https. I'd
> love
> > to hear of a power controller that does ssh.
> >
> > One problem with ssh is that you run into key management issues. They're
> > no big deal for desktops (where you can log in and manage the keys
> easily)
> > but can be an issue for embedded devices.
> >
> > Usually what folks do is telnet from a local device; one in the same
> > switch. That way the clear-text issues with telnet are minimized. Take
> care,
> > Bill
> 
> Re https, if you host a box and don't want to pay for an SSL CERT, is
> there a free source way to issue your own keys and then be able to do
> https that way?  I guess what I'm asking is, even though your browser will
> pop up and say the authenticity of the CERT is not verified, but let's say
> for example you run https webmail on your box .. is this setup common?
> 
> PS. Re ssh I wonder what /dev/random info it gets to randomize and
> generate keys, mouse movements?  PC Fan variations?
> 
> --
> Peter Leftwich, Owner
> Video2Video Services
> Box 13692, La Jolla, CA, 92039, USA
> http://Www.Video2Video.Com
> _______________________________________________
> SDBUG mailing list
> SDBUG at sdbug.org
> http://lists.sdbug.org/mailman/listinfo/sdbug

More information about the SDBUG mailing list