Proper authentication model
jabley at isc.org
Tue Jan 11 21:24:22 UTC 2005
On 11 Jan 2005, at 15:28, Kevin wrote:
> On Tue, 11 Jan 2005 11:17:55 +0200, Kim Onnel <karim.adel at gmail.com>
>> I'd like everyones 2 cents on the BCP for network management of an ISP
>> PoPs, with a non-security oriented NOC,
> . . .
>> 2) An OpenBSD bastion host(s), where the NOC would ssh in, get
>> authenticated from TACACS+ or ssh certs, and then just telnet from
>> there all day,
> If the OpenBSD host is located in the same physical site as the Cisco
> products, you have the additional option of providing serial console
> access to the console port on the Cisco devices through the OpenBSD
> bastion host. To take this a step further, you can log all serial
> port I/O to disk.
> Using the serial console as your management port has one major
> drawback (some would call it a feature), you can only have one person
> (two with the AUX port) logged into a given router or switch at a
To do both serial console access and continuous logging of console
output (and to allow multiple users to simultaneously access the same
console port) try rtty. It's old, and it hasn't been updated in ages,
and it turns out that's ok because it Just Works.
At ISC, we've used rtty with PCI-based multi-port serial cards, and
also with USB-based multi-port serial cards. It'll work with anything
that can present a character device in /dev.
More information about the NANOG