nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Proper authentication model

From: Joe Abley <jabley () isc org>
Date: Tue, 11 Jan 2005 16:24:22 -0500


On 11 Jan 2005, at 15:28, Kevin wrote:
On Tue, 11 Jan 2005 11:17:55 +0200, Kim Onnel <karim.adel () gmail com> wrote: 


Hello,
I'd like everyones 2 cents on the BCP for network management of an ISP
PoPs, with a non-security oriented NOC,

. . .

2) An OpenBSD bastion host(s), where the NOC would ssh in, get
authenticated from TACACS+ or ssh certs, and then just telnet from
there all day,


If the OpenBSD host is located in the same physical site as the Cisco
products, you have the additional option of providing serial console
access to the console port on the Cisco devices through the OpenBSD
bastion host.  To take this a step further, you can log all serial
port I/O to disk.

Using the serial console as your management port has one major
drawback (some would call it a feature), you can only have one person
(two with the AUX port) logged into a given router or switch at a
time.
To do both serial console access and continuous logging of console output (and to allow multiple users to simultaneously access the same console port) try rtty. It's old, and it hasn't been updated in ages, and it turns out that's ok because it Just Works.
At ISC, we've used rtty with PCI-based multi-port serial cards, and also with USB-based multi-port serial cards. It'll work with anything that can present a character device in /dev. 

  ftp://ftp.isc.org/isc/rtty/rtty-4.0.shar.gz


Joe
Previous By Date Next
Previous By Thread Next

Current thread: