North American Network Operators Group
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
Re: Proper authentication model
- From: Joe Abley
- Date: Tue Jan 11 16:26:05 2005
On 11 Jan 2005, at 15:28, Kevin wrote:
On Tue, 11 Jan 2005 11:17:55 +0200, Kim Onnel <[email protected]>
wrote:
Hello,
I'd like everyones 2 cents on the BCP for network management of an ISP
PoPs, with a non-security oriented NOC,
. . .
2) An OpenBSD bastion host(s), where the NOC would ssh in, get
authenticated from TACACS+ or ssh certs, and then just telnet from
there all day,
If the OpenBSD host is located in the same physical site as the Cisco
products, you have the additional option of providing serial console
access to the console port on the Cisco devices through the OpenBSD
bastion host. To take this a step further, you can log all serial
port I/O to disk.
Using the serial console as your management port has one major
drawback (some would call it a feature), you can only have one person
(two with the AUX port) logged into a given router or switch at a
time.
To do both serial console access and continuous logging of console
output (and to allow multiple users to simultaneously access the same
console port) try rtty. It's old, and it hasn't been updated in ages,
and it turns out that's ok because it Just Works.
At ISC, we've used rtty with PCI-based multi-port serial cards, and
also with USB-based multi-port serial cards. It'll work with anything
that can present a character device in /dev.
ftp://ftp.isc.org/isc/rtty/rtty-4.0.shar.gz
Joe
|