nanog mailing list archives
Re: Proper authentication model
From: Stephen Stuart <stuart () tech org>
Date: Wed, 12 Jan 2005 07:57:45 -0800
[...]
2) An OpenBSD bastion host(s), where the NOC would ssh in, get authenticated from TACACS+ or ssh certs, and then just telnet from there all day,
[...] (and s/telnet/ssh as has been suggested already)
3) Or just an IOS based bastion router that also runs ssh,
[...] When crafting the ACL that restricts what source IP{,v6} addresses may ssh to the router, you may want to include each router's neighbors by both their loopback and any interface addresses that might source a packet (if your security policy permits it). Having all your loopbacks and internal interfaces in a small number of prefixes dedicated to the task can help you craft a more-maintainable ACL. The motivation for doing this is that if dynamic routing melts down, you may find that using PMR to ssh from router to router is helpful. If you find yourself in a situation where you're using PMR, you may also need to turn off "ip ssh source-interface Loopback0" if you have it turned on - if dynamic routing has melted to the point where routers don't know each others' loopbacks, sourcing an ssh packet from a loopback won't get you far. If you use TACACS for AAA, plan in advance to have at least one login on the router with local credentials so that you can get in when TACACS is broken. Stephen
Current thread:
- Re: Proper authentication model, (continued)
- Re: Proper authentication model Iljitsch van Beijnum (Jan 11)
- Re: Proper authentication model Gernot W. Schmied (Jan 12)
- Re: Proper authentication model Iljitsch van Beijnum (Jan 12)
- Re: Proper authentication model David Gethings (Jan 12)
- Re: Proper authentication model Erik Haagsman (Jan 12)
- Re: Proper authentication model Daniel Golding (Jan 12)
- Re: Proper authentication model Erik Haagsman (Jan 13)
- Re: Proper authentication model Iljitsch van Beijnum (Jan 11)
- Re: Proper authentication model Gernot W. Schmied (Jan 16)
- Re: Proper authentication model Joe Abley (Jan 11)
- Re: Proper authentication model Stephen Stuart (Jan 12)
- Re: Proper authentication model Joe Abley (Jan 12)
- RE: Proper authentication model Steve Gibbard (Jan 12)
- Re: Proper authentication model Joe Abley (Jan 12)
- Re: Proper authentication model Daniel Golding (Jan 12)
- Re: Proper authentication model Michael . Dillon (Jan 13)
- Re: Proper authentication model Owen DeLong (Jan 13)