[rancid] Re: Tunneling Telnet connections
Steve D. Ousley
Steve at host-it.co.uk
Mon Jan 5 09:59:39 UTC 2009
Hi Guys
An update to my predicament. This is all sorted. A colleague of mine suggested this method minutes before you Daniel. Once I had this idea, it was a simple case of re-setting the routers up to use the tunnel.
Fortunately, I have a wrapper script for rancid, so that made things even easier for me, but all I did was the following:
Add a new ssh line for each router to the top of my wrapper script such as:
ssh -L 2024:<router_ip>:23 <user>@<bounce_host> -Nf
where <bounce_host> is the host that we are using in the remote location so that at least the part over the internet is done via ssh (The remote location is secured with VLAN’s etc, so that is not a problem).
Then I edited my .cloginrc to set each router up as:
add method <router> {telnet:2024}
and also I added to /etc/hosts a line:
127.0.0.1 <router>
With both the .cloginrc, and /etc/hosts file, this meant that the router’s name can still be the name of the router, but will use the SSH tunnel. Finally, editing the telnet access list on the switch, allowed this to all work.
Many thanks for the suggestions, and fortunately, I didn’t need help setting the SSH tunnel method up :D
Steve
From: Daniel Epstein [mailto:dan at rootlike.com]
Sent: 02 January 2009 13:14
To: Steve D. Ousley
Cc: <rancid-discuss at shrubbery.net>
Subject: Re: [rancid] Tunneling Telnet connections
An SSH tunnel would do it, but I'd imagine you have a firewall at each location. If both of these devices support IPSec VPNs, you could also setup a LAN to LAN VPN between sites.
Daniel G. Epstein (mobile)
On Jan 2, 2009, at 6:40, "Steve D. Ousley" <Steve at host-it.co.uk<mailto:Steve at host-it.co.uk>> wrote:
Hi All
We manage 2 data centres, and have some switches in the second (unmanned) data centre that are being backed up from our Rancid box in the primary (manned) data centre. What we would like though is some secure way to get the configs from the remote data centre. At the moment, rancid logs in with Telnet, which is obviously unsecure, and could be sniffed to gain our password.
Unfortunately due to these being Cisco 2960’s (without the K9 bundle) we cannot setup SSH to access these remotely, and for the 3 or 4 switches we have in the remote centre (at the moment) it is not worth setting up another rancid box for that.
I would like to know the best way to secure this, either maybe through an SSH tunnel to a machine in the remote data centre or any other ideas anyone has?
Regards
Steve Ousley - SO620-RIPE
Nuco Technologies Ltd
steve at host-it.co.uk<mailto:steve at host-it.co.uk>
www.nucotechnologies.com<http://www.nucotechnologies.com/>
Tel. 0870 165 1300
Nuco Technologies Ltd is a company registered in England and Wales
with company number 04470751
_______________________________________________
Rancid-discuss mailing list
Rancid-discuss at shrubbery.net<mailto:Rancid-discuss at shrubbery.net>
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20090105/392397bd/attachment.html
More information about the Rancid-discuss
mailing list