1ser2net.yaml(5)               File Formats Manual              ser2net.yaml(5)
2
3
4

NAME

6       /etc/ser2net/ser2net.yaml - Serial to network proxy configuration file
7
8

DESCRIPTION

10       ser2net  used to be a program for connection network connections to se‐
11       rial ports.  It's now a program for connecting accepter gensio to  con‐
12       necting gensios.  See gensio(5) for details on gensios.
13
14       ser2net  is  configured  with  YAML, which is flexible and easy to use.
15       Look at yaml documentation on the internet for how that works.
16
17       However, there are two types of YAML files that ser2net can  use:  ver‐
18       sion  1  and version 2.  Version 1 YAML files have more capability than
19       version 2 files, but they are non-standard YAML, a standard YAML parser
20       cannot  read them.  ser2net will autodetect the version based upon what
21       it finds.
22
23       In version 2, you can have multiple documents in  a  file  and  ser2net
24       will  read all of them.  YAML separates documents in a file with a sin‐
25       gle "---" by itself at the beginning of a line.  Though  you  can  only
26       have one set of defaults, defines, connections, etc. in a document, you
27       can have multiple documents in a file to  allow  more  than  one.   You
28       might,  for  instance,  group all the connections with a certain set of
29       defaults into its own document.
30
31

DEFINE SPECIFICATION

33       YAML has the ability to create aliases that can be  used  elsewhere  in
34       the  configuration  file.   These can be used for tying things together
35       between parts of the file, or (as an extension to YAML) for string sub‐
36       stitution.
37
38       You define an alias in version 1 with the following:
39
40              define: &aliasname alias text
41
42       This  will  create  an  alias with the given name.  Then you can use it
43       elsewhere like:
44
45              banner: *aliasname
46
47       and the banner will be "alias text".  Unlike  standard  YAML,  you  can
48       also use this inside strings using
49
50              *(aliasname)
51
52       so if you have
53
54              banner: My banner *(aliasname) is here
55
56       The  banner will be "My banner alias text is here".  See the YAML docu‐
57       mentation for how spaces are handled, but as a note, use quotes if  you
58       are not sure, like:
59
60              define: &aliasname "alias text"
61              banner: "My banner *(aliasname) is here"
62
63       If you for some reason need "*(" in your text, use "*(*" for that.
64
65       For version 2 YAML files, the definition is:
66
67              defines:
68                aliasname: alias text
69                aliasname2: alias text 2
70
71       where  you can list as many aliases as you like.  In version 2, you al‐
72       ways refer to an alias with "=" instead of "*", like:
73
74              banner: "My banner =(aliasname) is here"
75
76       and if you for some reason need "=(" in your text, use "=(=" for that.
77
78       In version 2, per standard YAML, you can only have one defines section,
79       so they must all be together.
80
81

INCLUDING OTHER FILES

83       A YAML file may include another file at the main level, with:
84
85              include: <filename>
86
87       This filename can include globs, and all referenced files are included.
88       These must be full yaml files, but are  included  in  context  at  this
89       point,  with  all the defines, connection names, etc.  This can let you
90       have individual connections in individual files to ease management.
91
92       In version 2, You can only have one include in each document for  legal
93       YAML,  so  if you need multiple includes you will have to have multiple
94       documents.
95
96

USING EXTERNAL FILES

98       You may want to store passwords and such in external files  for  better
99       security.   For  version 1, putting "*{filename}" in a YAML scalar will
100       put the file's contents into the scalar at that point.  If you  need  a
101       "*{" in the string for some reason, use "*{*".
102
103       For  version 2, use "={filename}" instead.  And "={=" to include a "={"
104       in a file.
105
106

CONNECTION SPECIFICATION

108       A connection is a structure that describes how to connect an  accepting
109       gensio to a connecting gensio.
110
111       An connection specification in version 1 starts with:
112
113              connection: &<alias>
114                     <definition>
115
116       In version 2, it's specified as:
117              connections:
118                     <alias>:
119                            <definition>
120
121       In version 2, all the connections must occur together in one place.
122
123       The  <definition> of a connection is the same for version 1 and version
124       2:
125              accepter: <accepter>
126              timeout: <number>
127              enable: on|off
128              connector: <connector>
129              options:
130                     <option name>: <option value>
131                     <option name>: <option value>...
132
133       An <accepter> is an accepting gensio specification.  When  ser2net  re‐
134       ceives  a  connection on the accepter, it attempts to make a connection
135       to the <connector> gensio.  The alias is required,  it  sets  the  name
136       that  is  used for the connection in the admin interface and for refer‐
137       encing from rotators.
138
139       If the connection receive no activity  in  <timeout>  seconds,  ser2net
140       will  close  the  connection.   Setting  <timeout> to zero disables the
141       timeout.  The timeout field is optional and defaults to zero.
142
143       The connection may be enabled or disabled with the enable.  The  enable
144       field  is  optional and defaults to on.  This is useful for temporarily
145       disabling port by setting enable to off and sending a SIGHUP.  If there
146       are users connected and you disable a port and send a SIGHUP, the users
147       will be kicked off.
148
149       An option is a configuration setting that doesn't have anything  to  do
150       with  specific  gensios, they are controls for ser2net in general.  The
151       option section is optional.
152
153       See gensio(5) for a lot  of  information  about  the  specific  gensios
154       available.
155
156       To  allow  a  TCP connection to a serial port and ignore modem control,
157       you can do:
158              connection: &toS0tcp
159                     accepter: tcp,1234
160                     connector: serialdev,/dev/ttyS0,local
161
162       Both accepting and connecting gensios stack, so if you want to add tel‐
163       net with RFC2217 support, you can do:
164              connection: &toS0telnet
165                     accepter: telnet(rfc2217),tcp,1234
166                     connector: serialdev,/dev/ttyS0,local
167
168       If you want to accept a telnet over SCTP connection only on IPv6 local‐
169       host and connect to a telnet connection with SSL over tcp, you can do:
170              connection: &tomyhost
171                     accepter: telnet,sctp,::1,1234
172                     connector: telnet,ssl,tcp,myhost.domain.org,1234
173
174       RFC2217 support only make sense with a  serial-capable  device  as  the
175       connector.   Also  note  that  IPv6 is fully supported.  Accepters will
176       generally default to being both IPv4 and IPv6 unless  otherwise  speci‐
177       fied.  See gensio(5) for details.
178
179       And yes, SCTP is supported and is highly recommended if you can use it.
180       Multi-homing alone is worth it.
181
182       You could create a secure login with telnet RFC2217 support  that  then
183       connects to an IPMI sol connection.  Notice how splitting the connector
184       line is done with YAML.
185              connection: &authsol
186                     accepter: telnet(rfc2217),mux,certauth,ssl,sctp,1234
187                     connector: ipmisol,lan -U ipmiusr -P test -p 9001
188                                   ipmiserver.domain.org,9600
189                     options:
190                            banner: My banner
191
192       These are some examples.  For SSL and certauth, I have ignored the  au‐
193       thentication  configuration,  more on that later.  Using authentication
194       is strongly recommended, it's easy now with gtlssh and if you  need  to
195       use  it  from  a  program, it's easy with gensio.  There is even python
196       support.  Adding support for other scripting languages shouldn't be too
197       hard.
198
199
200   SPECIAL STRING HANDLING
201       Some string values, like banners, have special formatting for inserting
202       various values.  These are all prepended  with  '\'.   This  takes  the
203       standard "C" \x characters.
204
205         \a - bell
206         \b - backspace
207         \f - form feed
208         \n - newline
209         \r - carriage return
210         \t - tab
211         \v - vertical tab
212         \\ - \
213         \? - ?
214         \' - '
215         \" - "
216         \nnn - octal value for nnn
217         \xXX - hex value for XX
218         \d - The connector string (/dev/ttyS0, etc.)
219         \o - The name of the connection.
220         \p - Network port number
221         \B - The serial port parameters (eg 9600N81) if applicable
222         \Y -> year
223         \y -> day of the year (days since Jan 1)
224         \M -> month (Jan, Feb, Mar, etc.)
225         \m -> month (as a number)
226         \A -> day of the week (Mon, Tue, etc.)
227         \D -> day of the month
228         \e -> epoc (seconds since Jan 1, 1970)
229         \U -> microseconds in the current second
230         \p -> local port number
231         \I -> remote IP address (in dot format)
232         \H -> hour (24-hour time)
233         \h -> hour (12-hour time)
234         \i -> minute
235         \S -> second
236         \q -> am/pm
237         \P -> AM/PM
238
239       These  sequences  may  be used to make the filename unique per open and
240       identify which port/device the filename was for.  Note  that  in  file‐
241       names when using \d or \o, everything up to and including last / in the
242       device name is removed, because you can't have a / in a  filename.   So
243       in a filename /dev/ttyS0 would become just ttyS0.
244
245       Note  that  in  banners and other strings going out (not filenames) you
246       must use \r\n to send a new line; this is raw handling and \n will only
247       go down one line, it will not return to the beginning of the line.
248
249
250   CONNECTION SPECIFICATION OPTIONS
251       kickolduser: true|false sets the port so that the previous user will be
252       kicked off if a new user comes in.  Useful if you  forget  to  log  off
253       from someplace else a lot.
254
255       banner:  <banner  string>  displays the given banner when a client con‐
256       nects.  It uses string handling as described in  "SPECIAL  STRING  HAN‐
257       DLING" above.
258
259       signature:  <signature  string>  sends RFC2217 signature on clients re‐
260       quest.  This may be an empty string.
261
262       openstr: <openstr name string> Send the given string to the  device  on
263       first  open.   This may be an empty string.  It uses string handling as
264       described in "SPECIAL STRING HANDLING" above.
265
266       closestr: <closestr name> Send the given string to the device on  final
267       close.   This  may  be an empty string.  It uses string handling as de‐
268       scribed in "SPECIAL STRING HANDLING" above.
269
270       closeon: <closeon string> If the given string is seen coming  from  the
271       connector side of the connection, close the connection.  The comparison
272       here is, for simplicity, simplistic.  Complex expressions with  repeti‐
273       tive  things  may not compare correctly.  For instance, if your closeon
274       strings is "ababc" and your input strings is "abababc", the  comparison
275       will  fail  because  the comparison algorithm will see "ababa" and will
276       fail on the final "a" and start over at "abc", which won't match.  This
277       shouldn't  cause  a problem most cases, but if it does, contact the au‐
278       thors and it can be improved.
279
280       accepter-retry-time: <time in seconds> If the accepter does not come up
281       at startup, wait this many seconds and retry it.
282
283       connector-retry-time:  <time in seconds> On a connect-back port, if the
284       connector does not come up or goes down.  wait this  many  seconds  and
285       retry it.
286
287       trace-read: <filename> When the acceptor is opened, open the given file
288       and store all data read from the physical device (and thus  written  to
289       the  client's  network/acceptor port) in the file.  If the file already
290       exists, it is appended.  The file is closed when the  port  is  closed.
291       The  filename uses string handling as described in "SPECIAL STRING HAN‐
292       DLING" above.
293
294       trace-write: <filename> Like tr, but traces data written  to  the  con‐
295       necting gensio.
296
297       trace-both:  <filename>  trace  both  read and written data to the same
298       file.  Note that this is independent of tr and tw, so you may be  trac‐
299       ing read, write, and both to different files.
300
301       trace-hexdump:  true|false  turns  on/off  hexdump  output to all trace
302       files.  Each line in the trace file will be 8 (or less) bytes in canon‐
303       ical hex+ASCII format.  This is useful for debugging a binary protocol.
304
305       trace-timestamp:  true|false  adds/removes  a  timestamp  to all of the
306       trace files. A timestamp is prepended to each line if hexdump is active
307       for  the  trace file.  A timestamped line is also recorded in the trace
308       file when a remote client connects or disconnects from the port.
309
310       [trace-read-|trace-write-|trace-both-]hexdump: true|false turns  on/off
311       hexdump  output for only one trace file.  May be combined with hexdump.
312       Order is important.
313
314       [trace-read-|trace-write-|trace-both-]timestamp:  true|false   adds/re‐
315       moves  a  timestamp  to  only  one the trace files May be combined with
316       [-]timestamp.  Order is important.
317
318       telnet-brk-on-sync: true|false causes a telnet sync operation to send a
319       break.  By default data is flushed until the data mark, but no break is
320       sent.
321
322       chardelay: true|false enables the small wait after each  character  re‐
323       ceived  on  the  connecting  gensio before sending data on the accepted
324       gensio.  Normally ser2net will wait the time it takes to receive 2  se‐
325       rial  port characters, or at least 1000us, before sending.  This allows
326       more efficient use of network resources when receiving large amounts of
327       data, but gives reasonable interactivity.  Default is true.
328
329       Note  that  this  feature is designed to balance network efficiency and
330       interactivity.  It is not designed to give guarantees of minimum  chunk
331       of  data  size,  as task scheduling and network stacks can modify these
332       things, too.
333
334       chardelay-scale: <number> sets the time, measured in tenths  of  serial
335       port  characters, to wait after receiving from nothing from the connec‐
336       tion before sending to the accepted gensio.  So setting this to 25 will
337       cause ser2net to wait the amount of time it takes to receive 2.5 serial
338       port characters after receiving the last character before  sending  the
339       data  on  to the TCP port.  The default value is 20, max is 1000.  This
340       is ignored for non-serial gensios.
341
342       chardelay-min: <number> is the same  as  chardelay-scale,  but  in  mi‐
343       croseconds.   The  larger of chardelay-scale and chardelay-min is used.
344       The default value is 1000, max is 100000.
345
346       chardelay-max: <number> sets the maximum delay that ser2net will  wait,
347       in  microseconds, after receiving a character, before sending the data.
348       The default value is 20000, max is 1000000.  This keeps the  connection
349       working smoothly at slow speeds.
350
351       sendon:  <sendon  string>  If  the given string is seen coming from the
352       connector side of the connection, sends buffered data up to and includ‐
353       ing  the string. Disabled by default. As an example, this can be set to
354       \r\n with appropriate chardelay settings to send one line  at  a  time.
355       It  uses  string  handling  as  described  in "SPECIAL STRING HANDLING"
356       above.  See the notes on the closeon string for  important  information
357       on how the comparison is done.
358
359       dev-to-net-bufsize:  <number>  sets the size of the buffer reading from
360       the connecting gensio and writing to the accepted gensio.
361
362       net-to-dev-bufsize: <number> sets the size of the buffer  reading  from
363       the accepted gensio and writing to the connecting gensio.
364
365       led-tx:  <led-alias>  use the previously defined led to indicate serial
366       tx traffic on this port.  For version 2 this should be  a  YAML  alias,
367       like *led2.  For version 2 just use the name, like led2.
368
369       led-rx:  <led-alias>  use the previously defined led to indicate serial
370       rx traffic on this port.  For version 2 this should be  a  YAML  alias,
371       like *led2.  For version 2 just use the name, like led2.
372
373       max-connections:  <number>  set  the maximum number of connections that
374       can be made on this particular TCP port.  If you  make  more  than  one
375       connection  to the same port, each ports output goes to the device, and
376       the device output goes to all ports simultaneously.  See "MULTIPLE CON‐
377       NECTIONS" below for details.  The default is 1.
378
379       remaddr:  <addr>[;<addr>[;...]]   specifies  the allowed remote connec‐
380       tions, where the addr is a standard address, generally in the form  <ip
381       address>,<port>.   Multiple  addresses  can be separated by semicolons,
382       and you can specify remaddr more than once.
383
384       If you set the port for an address to zero, ser2net will accept a  con‐
385       nection from any port from the given network host.
386
387       no-con-to-acc:  true|false  If  true, do not transfer any data from the
388       connector to the accepter.  Throw any data received from the  connecter
389       away.
390
391       no-acc-to-con:  true|false  If  true, do not transfer any data from the
392       accepter to the connecter.  Throw any data received from  the  accepter
393       away.
394
395       connback:  <connector>[;<connector>[;...]]   specifies  reverse connec‐
396       tions that will be made when data comes in on the  device.   When  data
397       comes  in  on the device side (the connection's main connector) ser2net
398       will connect to each connback specified.  No connection is  made  until
399       data comes in, and normal connection timeouts apply.
400
401       Note  that  this  will  use one of the connection's connections all the
402       time.  You may need to increase max-connections if you need  more  than
403       one or want to accept incoming connections, too.
404
405       Connect  back  addresses must match the format of the accepter address.
406       So, for instance, if your accepter is  "telnet,tcp,1234"  your  connect
407       back address must be something like "telnet,tcp,hostname,1123".
408
409       The  port  will send no data to any connect back unless all the connect
410       backs are connected.
411
412       A connect back port can also have connections made to it if you set the
413       number  of  connections  larger than the number of connect backs speci‐
414       fied.  However, those connections will receive no data  from  the  port
415       uness all connect backs have been established.
416
417       connback-timeout:  <time  in  seconds> specifies a separate timeout for
418       connect back ports.  Normally it uses the main timeout, this  lets  you
419       have  a different one.  Setting it to zero, like the main timeout, dis‐
420       ables the timeout.
421
422       authdir: <directory string> specified the authentication  directory  to
423       use for this connection.
424
425       pamauth:  <service  name>  Enables  PAM authentication and sets the PAM
426       service name.
427
428       allowed-users: <space separated list of names> The users that  are  al‐
429       lowed  to  use this connections.  This has no meaning if authentication
430       is not enabled on the connections.  If this is not  set  or  defaulted,
431       all  users  are allowed.  If this is set to an empty set of users, then
432       no users are allowed.  This may be specified more than once,  each  one
433       adds more users.
434
435       mdns:  true|false Enables/disables mdns support for the connection.  If
436       you set this and mdns is available, ser2net will create  a  service  on
437       mdns for the port.
438
439       mdns-interface:  <num> Sets the specific network interface to advertise
440       the device.  Defaults to -1, which means all network interfaces.
441
442       mdns-nettype: unspec|ipv4|ipv6 Sets which network type to  provide  for
443       the  device advertisement.  Defaults to unspec, which means do ipv4 and
444       ipv6.
445
446       mdns-name: <string> Sets the name in the mDNS advertisement.   Defaults
447       to the connection name.
448
449       mdns-type:  <string> Sets the type in the mDNS advertisement.  Defaults
450       to "_iostream._xxx" where xxx is either tcp, udp # # or  sctp  base  on
451       the gensio type.
452
453       mdns-domain:  <string>  Sets  the  name in the mDNS advertisement.  De‐
454       faults to the system setting.  Don't set this unless  you  really  know
455       what you are doing.
456
457       mdns-host:  <string> Sets the host in the mDNS advertisement.  Defaults
458       to the system setting.  Don't set this unless you really know what  you
459       are doing.
460
461       mdns-txt:  <string>  Adds a text string to the mDNS advertisement.  The
462       string should be in the form "name=value".  You can  put  anything  you
463       want  in  the  strings.   Two  default  strings  are  added by ser2net:
464       "provider=ser2net" and "gensiostack=..." where the stack of gensios  is
465       added, like "telnet(rfc2217),tcp)".  The idea of gensiostack is you can
466       just tack on the  address  to  the  end  an  make  a  connection  using
467       str_to_gensio().
468
469       mdns-sysattrs:  true|false  On  Linux adds system attributes from sysfs
470       for USB serial ports to the mDNS txt fields.  If  the  serial  port  is
471       USB,  it  adds "devicetype=serialusb" and the following attributes from
472       sysfs: bInterfaceNumber, interface, idProduct, idVendor, serial,  manu‐
473       facturer,  product.   If  they  are  not present in sysfs, they are not
474       added.  If the serial port is  not  USB,  then  "devicetype=serial"  is
475       added.
476
477       Note:  Be *very* careful when using a gensiostack with str_to_gensio().
478       Just blindly calling str_to_gensio() with it could result  in  signifi‐
479       cant security issues, as it can pass pty, stdio, trace, etc. gensios in
480       it.  You must either validate that the stack is a safe set or just  use
481       it for information.  You have been warned.  Be careful.
482

ROTATOR

484       A  rotator  allows  a  single network connection to connect to one of a
485       number of connections.
486
487       A version 1 rotator specification starts with:
488              rotator: &<alias>
489                     <definition>
490
491       A version 2 rotator specification starts with:
492
493              rotators:
494                     <alias>:
495                            <definition>
496
497       Just like connections, in version 2 you have to put  all  the  rotators
498       together.
499
500       The  definition  of  a rotator is almost the same between version 1 and
501       version 2:
502
503              accepter: <accepter>
504              connections: [
505                     <connection alias>,
506                     <connection alias>....
507              ]
508              options:
509                     <option name>: <option val>
510                     <option name>: <option val>...
511
512       A rotator has four possible options,  "authdir",  "pamauth",  "allowed-
513       users", and "accepter-retry-time", both same as connections.
514
515       For  version  1,  you should use YAML aliases for the connections.  For
516       version 2, just use the alias names.
517
518       Connections to the accepter will go through the set of connections  and
519       find the first unused one and use that.  The next connection will start
520       after the last connection used.  Note  that  disabled  connections  are
521       still accessible through rotators.
522
523       Note that the security of the connection is NOT used, only the security
524       of the rotator.
525
526

SER2NET DEFAULTS

528       To set a default in version 1, do:
529              default:
530                     name: <default name>
531                     value: <default value>
532                     class: <default class>
533
534       In version 2, like other things, the defaults are all in one place in a
535       document, like:
536              defaults:
537                     <name>:
538                            value: <default value>
539                            class: <default class>
540                     <name2>:
541                            value: <default value>
542                            class: <default class>
543
544       The  class is optional, if it is not there it sets the base default for
545       all classes that is used unelss overridden for a  specific  class.   If
546       the  class  is  there, it sets the default for a specific gensio class.
547       There is also a ser2net class that is for ser2net specific options.
548
549       The class is useful if you want different values for  different  gensio
550       types.   For  instance,  if  you wanted all serial ports to run at 9600
551       baud and all IPMI SOL connections to run at 115200 baud, you could do:
552              default:
553                     name: speed
554                     value: 9600
555                     class: serialdev
556              default:
557                     name: speed
558                     value: 115200
559                     class: ipmisol
560
561       The value is also optional, if it is not present a string value is  set
562       to NULL and an integer value is set to 0.
563
564       The order in the file is important, you must set a default before it is
565       used, and you can change the value of the default.  It will affect  all
566       uses following the setting.
567
568       To  delete a default value for class (so it will use the base default),
569       for version 1 do:
570              delete_default:
571                     name: <default name>,
572                     class: <default class>
573
574       For version 2, do:
575              delete_defaults:
576                     <default name>: [ <class1>, <class2>, ... ]
577                     <default name2>: [ <class1>, <class2>, ... ]
578       and it will delete the defaults for the classes in the list after it.
579
580       You must supply the class, you cannot delete base defaults.
581
582       The following default values are specific to ser2net, given with  their
583       default values:
584
585       telnet-brk-on-sync: false
586              If a telnet sync is received, send a break on the connected gen‐
587              sio (if applicable).  By default data is flushed until the  data
588              mark, but no break is sent.
589
590       kickolduser: false
591              If  a new user comes in on a connection that already has a user,
592              kick off the previous user.
593
594       chardelay: true
595              Enable asmall wait after each character received on  the  serial
596              port before sending data on the TCP port.  Normally ser2net will
597              wait the time it takes to receive 2 serial port  characters,  or
598              at  least  1000us,  before sending on the TCP port.  This allows
599              more efficient use of network  resources  when  receiving  large
600              amounts of data, but gives reasonable interactivity.
601
602       chardelay-scale: 20
603              sets  the number of serial port characters, in tenths of a char‐
604              acter, to wait after receiving from the serial port and  sending
605              to  the  TCP  port.  So setting this to 25 will cause ser2net to
606              wait the amount of time it takes  to  receive  2.5  serial  port
607              characters before sending the data on to the TCP port.  This can
608              range from 1-1000.
609
610       chardelay-min: 1000
611              sets the minimum delay that ser2net will wait, in  microseconds.
612              If  the  calculation  for  chardelay-scale  results  in  a value
613              smaller than this number, this number will be used instead.  The
614              default value is 1000.  This can range from 1-100000.
615
616       net-to-dev-bufsize: 64
617              sets  the  size  of the buffer reading from the network port and
618              writing to the serial device.
619
620       dev-to-net-bufsize: 64
621              sets the size of the buffer reading from the serial  device  and
622              writing to the network port.
623
624       max-connections: 1
625              set  the  maximum number of connections that can be made on this
626              particular TCP port.  If you make more than  one  connection  to
627              the same port, each ports output goes to the device, and the de‐
628              vice output goes to all  ports  simultaneously.   See  "MULTIPLE
629              CONNECTIONS" below.  for details.
630
631       remaddr: [!]<addr>[;[!]<addr>[;...]]
632              specifies  the  allowed  remote connections, where the addr is a
633              standard address in the form (see "network port" above).  Multi‐
634              ple  addresses can be separated by semicolons, and you can spec‐
635              ify remaddr more than once.  If you set the port for an  address
636              to zero, ser2net will accept a connection from any port from the
637              given network host.  If a "!" is given at the beginning  of  the
638              address,  the address is a "connect back" address.  If a connect
639              back address is specified, one of the network  connections  (see
640              max-connections) is reserved for that address.  If data comes in
641              on the device, ser2net will attempt to connect to  the  address.
642              This works on TCP and UDP.
643
644       authdir: /usr/share/ser2net/auth
645              The  authentication  directory  for ser2net.  The AUTHENTICATION
646              for more details.
647
648       authdir-admin: /etc/ser2net/auth
649              The authentication directory for ser2net for admin  connections.
650              The "ADMIN_CONNECTIONS" for more details.
651
652       pamauth: <NULL>
653              The  PAM service name for ser2net PAM authentication (<NULL> for
654              disabled).
655
656       pamauth-admin: <NULL>
657              The PAM service name for ser2net admin connection PAM  authenti‐
658              cation  (<NULL>  for disabled). See "ADMIN_CONNECTIONS" for more
659              details.
660
661       mdns-interface: -1
662              The default mDNS interface.
663
664       mdns-type: <NULL>
665              The default mDNS type.
666
667       mdns-domain: <NULL>
668              The default mDNS domain.
669
670       mdns-host: <NULL>
671              The default mDNS host.
672

ADMIN CONNECTIONS

674       There is an admin accepter that you can define for ser2net, it lets you
675       log  in, look at status, and change some things.  See "ADMIN INTERFACE"
676       in ser2net(8) for detail on how to use it.  The format is:
677              admin: [&<name>]
678                     accepter: <accepter>
679                     options:
680                            <option name>: <option value>
681                            <option name>: <option value>...
682
683       The following authentications options  available  are  "authdir-admin",
684       which  sets  the  authentication  directory for the admin port and "pa‐
685       mauth-admin" which sets the PAM service name and enables PAM  authenti‐
686       cation.  Both are different than "authdir" resp.  "pamauth" for connec‐
687       tions, though you can set it to the same value.
688
689       In addition, the same mdns option are available for admin ports as  are
690       available for connections.  And you can set an optional alias that will
691       also set the mdna name.
692
693       Like connections,  default  mdns  options  work  for  "mdns-interface",
694       "mdna-type",  "mdns-domain",  and "mdns-host".  Unlike connections, the
695       "mdns" boolean does not come from the default, you must specify  it  as
696       an  admin  option to turn on mdns for the admin port.  This is to allow
697       it to be specified separately and maintain backwards compatibility.
698
699

LEDS

701       ser2net can flash LEDs during serial activity.  To  create  an  LED  in
702       version 1, do:
703              led: &<alias>
704                     driver: sysfs
705                     options:
706                            <option name>: <option value>
707                            <option name>: <option value>
708
709       In version 2, use:
710              leds:
711                     <alias>:
712                            driver: sysfs
713                            options:
714                                   <option name>: <option value>
715                                   <option name>: <option value>
716                     <alias>:
717                            driver: sysfs
718                            options:
719                                   <option name>: <option value>
720                                   <option name>: <option value>
721
722       The only supported driver is sysfs.  Supported options are:
723
724       device:   <sysfs   device   name>   gives   the  name  of  the  LED  in
725       /sys/class/led.  These generally have ":" in them, so you will need  to
726       put the name in quotes.  This is required.
727
728       duration:  <time in ms> The time in milliseconds to flash the LED.  De‐
729       faults to 10.
730
731       state: <number> The value to set the LED to to enable it.  Defaults  to
732       1, but may need to be a different value.
733
734       You  reference  the LED by alias in the connection options section, see
735       that for details.  Make sure you have "modprobe ledtrig-transient" done
736       or the triggers will not work, they require the transient trigger.
737
738       You also probably need root access to access LED settings.
739
740

FILENAME, BANNER, AND STRING FORMATTING

742       NOTE: yaml has it's own quoting mechanism, see below for more details.
743
744       Filenames,  banners,  open/close  strings,  closeon strings, and sendon
745       strings may contain normal "C" escape sequences and a large  number  of
746       other escape sequences, too:
747
748         \a - bell
749         \b - backspace
750         \f - form feed
751         \n - newline
752         \r - carriage return
753         \t - tab
754         \v - vertical tab
755         \\ - \
756         \? - ?
757         \' - '
758         \" - "
759         \nnn - octal value for nnn
760         \xXX - hex value for XX
761         \d - The connecting gensio string (serialdev,/dev/ttyS0, etc.)
762         \o  -  The device as specified on the config line (before DEVICE sub‐
763         stitution)
764         \N - The port name
765         \p - The accepter string
766         \B - The serial port parameters (eg 9600N81)
767         \Y -> year
768         \y -> day of the year (days since Jan 1)
769         \M -> month (Jan, Feb, Mar, etc.)
770         \m -> month (as a number)
771         \A -> day of the week (Mon, Tue, etc.)
772         \D -> day of the month
773         \e -> epoc (seconds since Jan 1, 1970)
774         \U -> microseconds in the current second
775         \p -> local port number
776         \I -> remote address of the accepter gensio
777         \H -> hour (24-hour time)
778         \h -> hour (12-hour time)
779         \i -> minute
780         \S -> second
781         \q -> am/pm
782         \P -> AM/PM
783
784       In addition, for backwards compatibility because filenames and  banners
785       used  to have different formatting, \s is the serial port parameters if
786       in a banner and seconds if in a filename.  Use of this  is  discouraged
787       as it may change in the future.
788
789       These  sequences  may  be used to make the filename unique per open and
790       identify which port/device the filename was for.  Note  that  in  file‐
791       names when using \d or \o, everything up to and including last / in the
792       device name is removed, because you can't have a / in a  filename.   So
793       in a filename /dev/ttyS0 would become just ttyS0.
794
795
796   HANDLING QUOTING AND STRING FORMATTING
797       yaml will process "\" escape sequences in double quotes, so use of dou‐
798       ble quotes is note recommended for the above.  If you put the values in
799       single quotes, yaml will not process them and instead pass them through
800       where they can be processed by ser2net.
801
802

SPACES, QUOTING AND PUTTING SPACES IN STRINGS

804       YAML and the accepter/connector processing interact when  dealing  with
805       quoting.   By  default,  YAML ignores the number of spaces between ele‐
806       ments separated by spaces.  Lines that are indented  after  an  element
807       are considered a continuation of the element, so something like:
808              connector: serialdev,/dev/ttyUSB0,
809                     9600n81
810                     local nobreak
811                     rtscts
812       is the same as
813
814              connector: serialdev,/dev/ttyUSB0, 9600n81 local nobreak rtscts
815
816       YAML has it's own standard quoting mechanisms, so if you do:
817
818              connector: "serialdev,/dev/ttyUSB0,9600n81  local"
819
820       the two spaces before "local" will be preserved when passed to the con‐
821       nector processing (though in this case it won't matter because the con‐
822       nector processing will ignore the extra spaces).
823
824       If you need a significant space, say in a filename passed to a key, You
825       cannot do:
826
827              accepter: ssl(CA=/etc/ser2net/my CA/),tcp,3000
828
829       because the accepter processing will split the arguments at  the  space
830       and won't recognize what "CA/" is.  You also cannot do:
831
832              accepter: ssl(CA="/etc/ser2net/my CA/"),tcp,3000
833
834       because YAML will remove the quotes, this is functionally equivalent to
835       the previous example. And
836
837              accepter: ssl(CA="/etc/ser2net/my\ CA/"),tcp,3000
838
839       also will not work, inside of double quotes YAML will convert "\ " to a
840       space.  You have a couple of options.  You can do:
841
842              accepter: ssl(CA=/etc/ser2net/my\ CA/),tcp,3000
843
844       or
845
846              accepter: ssl(CA='/etc/ser2net/my\ CA/'),tcp,3000
847
848       because  outside  of  quotes YAML will not process the "\ " and it will
849       not process it in single quotes.  Or if you have a  lot  of  spaces  or
850       colons, too, you can do:
851
852              accepter: ssl(CA="\"/etc/ser2net/my CA/\""),tcp,3000
853
854       because inside the outside quotes YAML will convert the '\"' into a '"'
855       and pass it on to the accepter  processing  which  will  interpret  the
856       quotes as you would expect.
857
858

UDP

860       UDP  handling  is  a bit different than you might imagine, because it's
861       hard for ser2net to know where to send the data to.   To  handle  this,
862       UDP  ports  still have the concept of a "connection".  If a UDP port is
863       not connected, then if it receives a packet the remote address for that
864       packet  is  set  to the remote end of the "connection".  It will do all
865       the normal new connection operations.  ser2net will accept new  connec‐
866       tions  up to "max-connections" then ignore packets from other addresses
867       until a disconnect occurs.
868
869       Unfortunately, there is no easy way to know when  to  disconnect.   You
870       have two basic options:
871
872       •      Set  a  timeout,  if  the remote end isn't heard from before the
873              timeout, then the port is disconnected and  something  else  can
874              connect.   This means anything that is using the port must peri‐
875              odically send a packet (empty is fine) to ser2net  to  keep  the
876              connection alive.
877
878       •      Use  the kickolduser option on the port, any new connection that
879              comes in will replace the previous connection.
880
881       Note that UDP ports handle multiple connections just like TCP ports, so
882       you can have multiple UDP listeners.
883
884       You  also  have  a third option.  If you set a remote address (remaddr)
885       with a non-zero port and a connect back port (see discussion on  remote
886       addresses  above),  ser2net will take one of the connections and assign
887       it to that port permanently.  This is called a  fixed  remote  address.
888       All  the traffic from the device will go to that port.  Every fixed re‐
889       mote address on a UDP port has to have a corresponding  connection,  so
890       if  you have 3 fixed remote addresses, you must have at least 3 connec‐
891       tions.
892
893

MULTIPLE CONNECTIONS

895       As mentioned earlier, you can set max-connections=<n> on a port to  al‐
896       low  more than one connection at a time to the same serial port.  These
897       connections will share all the settings.  You cannot have two  separate
898       TCP ports connect to the same port at the same time.
899
900       This has some significant interactions with other features:
901
902       flow  control is not exactly a feature, but more an interaction between
903       the different connections.  If a TCP port  stops  receiving  data  from
904       ser2net, all TCP ports connected will be flow-controlled.  This means a
905       single TCP connection can stop all the others.
906
907       closeon will close all connections when the closeon sequence is seen.
908
909       openstr is only sent when the port is unconnected and the first connec‐
910       tions is made.
911
912       closestr  is  only sent when the last port disconnects and there are no
913       more connections to the port.
914
915       Any monitor ("monitor start" from a control connections) will catch in‐
916       put from all network connections.
917
918       kickolduser  will kick off an existing connection if a connection comes
919       in on a port that already has a maximum  number  of  connections.   The
920       connection  kicked  off is arbitrarily chosen and the algorithm is sub‐
921       ject to change.
922
923       tracing will trace data from all network connections.
924
925       rfc2217 (remote telnet serial control) will change the connection  set‐
926       tings on the device and will be accepted from any network connection.
927
928       reconfig on SIGHUP See ser2net(8) "SIGHUP" section for details.
929
930       ROTATOR  will  only choose a port if there are no connections at all on
931       the port.  Note that the use of a rotator with a port with  max-connec‐
932       tions > 1 will result in undefined behavior.
933
934       timeout  will be per TCP port and will only disconnect that TCP port on
935       a timeout.
936
937       telnet_brk_on_sync will send a break for any TCP port that does a sync.
938
939       showport in the admin interface will show all possible connections,  so
940       if you say max-connections=3 you will get three entries.
941
942       showshortport in the admin interface will only show the first live con‐
943       nection, or if no connection is present it will show whatever the first
944       one was the last time a connection was present.
945
946

AUTHENTICATION AND ENCRYPTION

948   TCP WRAPPERS
949       ser2net  uses  the tcp wrappers interface to implement host-based secu‐
950       rity.  See hosts_access(5) for a description of the  file  setup.   Two
951       daemons  are  used  by  ser2net,  "ser2net"  is  for the data ports and
952       "ser2net-control" is for the control ports.
953
954
955   ENCRYPTION
956       ser2net supports SSL encryption using the ssl gensio.   To  enable  en‐
957       cryption, use an accepter like:
958
959              telnet,ssl,tcp,1234
960
961       Then you can use gensiot to connect:
962
963              gensiot telnet,ssl,<server>,1234
964
965       or you can install telnet-ssl and do
966
967              telnet -z ssl,secure <server> 1234
968
969       The  SSL  connection  is made using the provided keys.  In this example
970       ser2net uses the default keys (as set in the default, see those below).
971       You  can  also set them using (key=<keyfile>,cert=<certfile>) after ssl
972       above, or modify the defaults.
973
974       If you do not have genuine certificates from a  certificate  authority,
975       the  connection will fail due to certificate failure.  Getting certifi‐
976       cates this way is very inconvenient, so there is another way.  You  can
977       do:
978
979              gtlssh-keygen   --keydir   /etc/ser2net   --commonname   "`host‐
980              name`-ser2net" serverkey ser2net
981
982       to generate the default keys in /etc/ser2net (or wherever).   The  cer‐
983       tificate/key will be named /etc/ser2net/ser2net.crt|key.
984
985       NOTE:  If  you  compile  ser2net yourself, by default autoconf sets the
986       system configuration directory (normally /etc) as /usr/etc.  This is  a
987       major  annoyance  with  autoconf.  So if you don't change it, you would
988       need /usr/etc above where it says /etc.  However, generally  the  right
989       way  to  do this is to add "--sysconfdir=/etc" to the configure command
990       line when you configure ser2net.  If a distro has compiled ser2net  for
991       you, that should have done that by default, so no worries in that case.
992
993       Then copy ser2net.crt over to the user system and provide it to connec‐
994       tion commands, like:
995
996              gensiot telnet,ssl(CA=ser2net.crt),<server>,1234
997
998       or
999
1000              telnet -z ssl,secure,cacert=ser2net.crt 1234
1001
1002       Then you will have an encrypted connection.  Just make sure  your  cer‐
1003       tificates are valid.
1004
1005       Note  that the "-ser2net" at the end of the key is important because it
1006       make the subject name of the certificate more unique.  You  can  really
1007       put  anything  you  want for what you provide to keygen, as long as you
1008       rename it properly.  That will be the subject name of the certificate.
1009
1010   AUTHENTICATION WITH SSL
1011       ser2net provides a way to authenticate with SSL.  It's not  the  great‐
1012       est, but it does work.  You must enable clientauth on ssl:
1013
1014              telnet,ssl(clientauth),tcp,1234
1015
1016       or  set it in the default.  Then you must create a certificate with the
1017       username as the common name.  You can do this with:
1018
1019              gtlssh-keygen --keydir outdir --commonname username keygen  key‐
1020              name
1021
1022       which  will  generate  keyname.crt and keyname.key in outdir.  Then put
1023       keyname.crt in ser2net's <authdir>/username/allowed_certs.  By  default
1024       <authdir>  is /usr/share/ser2net/auth, but you can change that with the
1025       authdir default in the ser2net config file or by setting authdir on in‐
1026       dividual  connections  (in  case  you want different ones for different
1027       ports).  You then must rehash the allowed_certs directory:
1028
1029              gtlssh-keygen rehash <authdir>/username/allowed_certs
1030
1031       Then restart/reload ser2net and use one of these  very  long  lines  to
1032       telnet into it:
1033
1034              gensiot    telnet,ssl(CA=ser2net.crt,cert=username.crt,key=user‐
1035              name.key),<server>,1234
1036
1037              telnet        -z        ssl,secure,cacert=ser2net.crt,cert=user‐
1038              name.crt,key=username.key server 1234
1039
1040   AUTHENTICATION WITH CERTAUTH (GTLSSH)
1041       All  of  the  above is a big pain.  Fortunately there is an easier way.
1042       gtlssh is a ssh-like program, but runs over TLS  and  it  implements  a
1043       ssh-like authentication protocol using the certauth gensio.
1044
1045       ser2net  supports  this authentication system running on top of the ssl
1046       and certauth gensios.  Those gensios provide the framework for handling
1047       authentication, ser2net itself controls it.
1048
1049       This  uses  the  same authdir and allowed keys directory as before, and
1050       still requires a server certificate, but the self-signed one  generated
1051       with gtlssh-keygen works fine without doing anything special.  Add cer‐
1052       tauth to the port line:
1053
1054              telnet,mux,certauth,ssl,tcp,1234
1055
1056       and *make sure* clientauth is disabled for ssl (or ssl will  still  at‐
1057       tempt to authenticate the client).  Disabled is the default but in case
1058       you changed, the default...
1059
1060       The mux entry is because gtlssh uses the mux gensio to  allow  multiple
1061       channels  on  the  same  session.  It wasn't there with older (pre 1.2)
1062       version of gtlssh, but is required for newer one.  gtlssh  also  has  a
1063       --nomux option, just in case.
1064
1065       The  gtlssh  program  does  its  own certificate handling.  Look at the
1066       gtlssh man page for detail on that.  Take the  certificate  for  gtlssh
1067       and  put it in the authdir/username/allowed_certs directory and reshash
1068       it as before.  gtlssh will *not* use the common name  provided  in  the
1069       certificate, instead it users a username provided by gtlssh.  Then con‐
1070       nect with gtlssh:
1071
1072              gtlssh --nosctp --telnet username@server 1234
1073
1074       The --nosctp thing keep gtlssh from trying sctp, which  will  fail  be‐
1075       cause  we  put  tcp in the port line.  You could use sctp there and get
1076       all its advantages for free!  Then --nosctp would no longer be required
1077       to avoid the nagging.
1078
1079       The username is optional if it's the same as your current user.  If you
1080       have not connected to that server/port before, gtlssh will ask  you  to
1081       verify  it,  much  like  ssh  does.   If certificates, IP address, etc.
1082       change, gtlssh will tell you about it.
1083
1084       If you do not want to use a  certificate  (certificates  are  certainly
1085       preferred,  but  may not always be workable) you can use a password lo‐
1086       gin, too. You must set enable-password in the certauth  gensio  options
1087       for  passwords  to  work.  When you connect with gtlssh, if certificate
1088       validate fails, you will be prompted for the password. Password authen‐
1089       tication can be performed in two different ways.  Both are mutually ex‐
1090       clusive,  depending on whether pamauth is set or not:
1091
1092       •      To authenticate using the PAM library set the PAM  service  name
1093              via pamauth option.
1094
1095       •      Put  a  password in authdir/username/password. If it matches the
1096              first line in the password file and pamauth is not set, then au‐
1097              thentication will succeed.
1098
1099   AUTHENTICATION AND ROTATORS
1100       Rotators  are  a  special case.  BE CAREFUL.  A rotator has its own au‐
1101       thentication.  If you set up authentication on a port that is part of a
1102       rotator,  that  port's  authentication is not used.  Only the rotator's
1103       authentication is used.
1104
1105   ENCRYPTION, AUTHENTICATION, AND DEFAULT CERTIFICATES
1106       ser2net expects default certificates and public keys  in  /etc/ser2net,
1107       and  these  are  set  as gensio defaults.  This means that any outgoing
1108       connection from ser2net, whether in a connector or in a connback,  will
1109       use  these keys.  If they aren't there or have expired or something you
1110       will get confusing errors about not being able  to  open  the  certifi‐
1111       cates.
1112
1113       To  solve  this,  you can disable the certificates by adding "cert=" to
1114       the gensio specification for ssl and certauth on outgoing  connections.
1115       This  will  disable  the  certificates  for the specific gensio, and is
1116       probably what you want.  If you are making connections and authenticat‐
1117       ing  to  the remote server, the default certificate and private key are
1118       probably not what you want, either.
1119

SIGNALS

1121       SIGHUP
1122            If ser2net receives a SIGHUP, it will reread it configuration file
1123            and  make the appropriate changes.  If an inuse port is changed or
1124            deleted, the actual change will not occur until the port  is  dis‐
1125            connected.
1126
1127

ERRORS

1129       Almost all error output goes to syslog, not standard output.
1130
1131

FILES

1133       /etc/ser2net/ser2net.yaml,                    /etc/ser2net/ser2net.key,
1134       /etc/ser2net/ser2net.crt, /usr/share/ser2net
1135
1136

SEE ALSO

1138       ser2net(8) telnet(1), hosts_access(5),  gensio(5),  gtlssh(1),  gtlssh-
1139       keygen(1)
1140
1141

KNOWN PROBLEMS

1143       If they were known, they would be fixed :).
1144
1145

AUTHOR

1147       Corey Minyard <minyard@acm.org>
1148
1149
1150
1151Serial to network proxy configuratio0n6/f0i2l/e01                    ser2net.yaml(5)