Proper authentication model

Joe Abley jabley at
Tue Jan 11 21:24:22 UTC 2005

On 11 Jan 2005, at 15:28, Kevin wrote:

> On Tue, 11 Jan 2005 11:17:55 +0200, Kim Onnel <karim.adel at> 
> wrote:
>> Hello,
>> I'd like everyones 2 cents on the BCP for network management of an ISP
>> PoPs, with a non-security oriented NOC,
> . . .
>> 2) An OpenBSD bastion host(s), where the NOC would ssh in, get
>> authenticated from TACACS+ or ssh certs, and then just telnet from
>> there all day,
> If the OpenBSD host is located in the same physical site as the Cisco
> products, you have the additional option of providing serial console
> access to the console port on the Cisco devices through the OpenBSD
> bastion host.  To take this a step further, you can log all serial
> port I/O to disk.
> Using the serial console as your management port has one major
> drawback (some would call it a feature), you can only have one person
> (two with the AUX port) logged into a given router or switch at a
> time.

To do both serial console access and continuous logging of console 
output (and to allow multiple users to simultaneously access the same 
console port) try rtty. It's old, and it hasn't been updated in ages, 
and it turns out that's ok because it Just Works.

At ISC, we've used rtty with PCI-based multi-port serial cards, and 
also with USB-based multi-port serial cards. It'll work with anything 
that can present a character device in /dev.


More information about the NANOG mailing list