Computers have been taught to distrust each other and will reject attempted connections most of the time. Nowadays, most computers and firewalls are utterly rude about it: it would be like asking someone to dance and having them ignore you as though you were invisible and inaudible. (Tony Lawrence)
Your computer needn't be the first thing your see in the morning and the last thing you see at night. (Simon Mainwaring)
A few days ago I received an email from someone looking for help with an old SCO Unix system.
I have to tell you the truth: I turn down a lot of that work now. If the proposed work is at all messy - for example, virtualizing an older version or porting code or resuscitating a piece of ancient hardware - I usually say that I'm not interested. When I say not interested, I mean REALLY not interested: I've had people come back to me saying "Name your price!" and I still turn them down. I might need the money, but I don't need the stress.
Of course I'll still help any of my "old" customers - the folks who haven't been able to move off SCO. There are darn few of them left and honestly I'm getting closer to the time when I'll express my regrets to them also, but for now it's new work that I'm most apt to reject.
This particular piece of email tugged at my conscience, though.
The sender explained that the Filepro system was running on SCO Unix 5.0.7 and that her employers had decided to remove it entirely, which made her job particularly difficult as the replacement Windows system simply didn't do what the old wheezy Filepro system did. Somehow she convinced them to give her the hardware and she was going to install it in her home office, thereby allowing her to continue to do whatever she does without excessive teeth gnashing and frustration.
So far, so good. There were, however, a few interesting wrinkles.
Comcast Business Class
Her email explained that the company had also agreed to install a Comcast Business Class internet connection, with a public IP, in her home. This was because there are other employees who will still need to access the Filepro.
Yeah, I know: you are asking why they would scrap the system if people still have to use it. I don't know.
Anyway, she went on to explain that she (apparently with some help from another consultant or two) had tried to configure the SCO with the public IP she had been given, but it simply was not working at all. Someone had steered her in my direction. She ended by explaining that her company would NOT pay for my help; she'd have to do that herself.
Finally, she already had a high speed connection and would not be giving that up - the SCO would use the Comcast; her home office computers would not.
Alarm bells were going off in my head. Connect a SCO 5.0.7 system to the Internet with a public IP? No, no, no.. this version was replaced in 2005 - it's ancient and it wasn't all that secure even then. It's probably good that she was having trouble - the darn thing should be behind a firewall!
I also felt badly that other people had let her down. I don't know if she paid them, but even if not, she still had to be frustrated by not having this working. I sighed and wrote back that I'd be happy to help and would charge her a flat $60 (my minimum charge). We arranged a time to tackle this the next morning.
Correct but wrong, wrong but correct
When we talked on the phone that morning, I explained my concerns about security. We set up a "join.me" session and she showed me what she had done for configuration. It was actually correct: the only change I would have made is to use Google DNS in resolv.conf. "Correct" doesn't mean working, though, so I asked her to switch her Windows PC into one of the Comcast router ports to find out why.
As I expected, the Comcast SMC router was handing out DHCP and the PC obtained a 10.1.10.x address immediately and had Internet access. Nothing wrong there, so all we needed to do was try DHCP with SCO. We did, but it didn't work, and ended up with a 192.168.2 address - oops!
Hmmm.. after some fumbling, I decided to put a specific 10.1.10 address on the SCO with a gateway pointing at the 10.1.10.1 router and Google DNS in resolv.conf. That didn't work though, and the indication was that no cable was plugged in. And yet, she insisted it was and that she could see lights both at the computer and the router. What the heck?
A quick scan of "hw -r pci | more" told me the problem: the system had an Intel ethernet on the motherboard, but we were configuring a PCI 3-Com in netconfig! She had plugged into the wrong ethernet jack!
She crawled under her desk and rectified that. The SCO could now reach the Internet. There were a few more things to be done, of course.
I asked her to modify /etc/ssh/sshd_config to add an "AllowUsers" line for the handful of people who need to access this. She assured me that they all have strong passwords - of course I'd rather see them use key files, but that's probably too much to ask. There are other things she could and should do with ssh configuration, but I let it go. I'll send her an email about all that later and perhaps she will do more.
I then had her login into the SMC router (default "cusadmin/highspeed" - I advised her to change that later) and led her through forwarding port 22 to the 10.1.10 address I had her assign to the SCO box. I then had her disconnect from that network and reconnect to her own and try an SSH connection.
It didn't work.
Reconnecting to the router showed me why very quickly: Comcast had NOT configured her router with the public IP address they had sold her. I had her go try the public DHCP address and of course she was able to login with ssh. I told her to complain to them and make them fix it - I didn't want to mess things up if they had not completed provisioning that. I told her to insist that they stay on the phone with her while she power cycled all equipment: SCO, router and Comcast modem to be sure the public IP still worked after that.
Happiness is a working system
At this point, she had a working system and was a lot happier than she had been. I sent my $60.00 invoice and my conscience felt reasonably assuaged. I thought about advising her to switch to Linux, but she seems to be active in what is left of the Filepro community, so someone else has surely told her that. I've done what I could and I hope she stays safe.