table of contents
SC_REMOTED(1) | General Commands Manual | SC_REMOTED(1) |
NAME¶
sc_remoted
—
SYNOPSIS¶
sc_remoted |
[-?46D ]
[-O options]
[-P port]
[-U directory]
[-c tls-certificate]
[-p tls-privatekey] |
DESCRIPTION¶
Thesc_remoted
utility provides the ability to connect
to a scamper(1) instance running remotely and interact with
it by issuing commands and receiving results in warts format. The options are
as follows:
-
?- prints a list of command line options and a synopsis of each.
-D
- causes
sc_remoted
to operate as a daemon. -4
- causes
sc_remoted
to only listen for IPv4-based connections. -6
- causes
sc_remoted
to only listen for IPv6-based connections. -O
options- allows the behavior of
sc_remoted
to be further tailored. The current choices for this option are:- allowgroup: allow members of the unix domain
socket's group to access to the unix domain sockets created by
sc_remoted
- allowother: allow anyone on the system access to the
unix domain sockets created by
sc_remoted
- select: use select(2) with all sockets, rather than epoll(2) or kqueue(2)
- tka: use TCP keepalives with all remote scamper processes, sent every 2 minutes.
- allowgroup: allow members of the unix domain
socket's group to access to the unix domain sockets created by
-P
port- specifies the port on the local host where
sc_remoted
should listen for incoming connections. -U
directory- specifies the directory on the local host where unix domain sockets corresponding to remote hosts should be placed.
-c
tls-certificate- specifies the server certificate file in PEM format to advertise to remote scamper instances.
-p
tls-privatekey- specifies the private key file in PEM format that corresponds to the
certificate file. This key should have a passphrase.
sc_remoted
will prompt for the passphrase when starting up.
EXAMPLES¶
The intended use of scamper's remote control socket is as follows. A central server with IP addresses 192.0.2.1 and 2001:db8::1 runs asc_remoted
process listening on a port for remote
scamper process, placing control sockets in a specified directory:
sc_remoted -P 31337 -U
scamper-remote-sockets
Then, a remote host with IP address 198.51.100.55 runs scamper and connects to the remote controller:
scamper -R
192.0.2.1:31337
The sc_remoted
process places a unix
domain socket in the directory corresponding to the remote process. The name
corresponds to the source IP address and port the remote scamper process
connected to controller with. If the scamper process used source port 1025,
then the unix domain socket's name will be
scamper-remote-sockets/198.51.100.55:1025
If a second remote host with IP address 2001:db8:1234::1 runs scamper and connects to the remote controller:
scamper -R
[2001:db8::1]:31337
The same sc_remoted
process will place
another unix domain socket in the directory corresponding to the remote
process. If the scamper process used source port 1026, then the unix domain
socket's name will be
scamper-remote-sockets/2001:db8:1234::1.1026
USING TRANSPORT LAYER SECURITY¶
sc_remoted
and scamper support the use of transport
layer security (TLS) using OpenSSL to authenticate and encrypt communications
between sc_remoted
and scamper. To use this support
requires a public certificate signed by a certificate authority or signed by
the certificate authority built into scamper. Scamper will verify the
certificate presented by sc_remoted
and disconnect if
the certificate presented by sc_remoted
cannot be
validated.
Generating a certificate that will be accepted by scamper requires you to create a certificate request and pass it for signing either to a certificate authority or to scamper's author, whose details are found in the authors section of this page. To generate a private key in file remotepriv.pem, and a request to sign the key in remotereq.pem:
openssl req -new -keyout
remotepriv.pem -out remotereq.pem
and then send the remotereq.pem file to the certificate authority
for signing. Do not send remotepriv.pem; that key must remain private to
you. When openssl prompts for a passphrase, choose a passphrase that is
unique and keep the passphrase secret. When your chosen certificate
authority signs your private key, it will return a file which we will call
remotecert.pem. Both remotecert.pem and remotepriv.pem are required
parameters to sc_remoted
to enable TLS support:
sc_remoted -P 31337 -U
scamper-remote-sockets -c remotecert.pem -p remotepriv.pem
and then passing the -O tls option to scamper:
scamper -R example.com:31337 -O
tls
SEE ALSO¶
scamper(1), sc_attach(1), sc_wartsdump(1), warts(5), openssl(1)AUTHORS¶
sc_remoted
was written by Matthew Luckie
<mjl@luckie.org.nz>.
September 21, 2014 | Linux 4.9.0-9-amd64 |