[rancid] Rancid via proxy host

Adrian A. Dimitrov adrian.dimitrov at efellows.bg
Wed Oct 12 14:17:47 UTC 2016


Thanks a lot !

From the security stand point we will make sure we are on the save side.

Will keep in touch what we have done. 

Thanks again.

Best Regards,
Adrian Dimitrov


-----Original Message-----
From: Alan McKinnon [mailto:alan.mckinnon at gmail.com] 
Sent: Wednesday, October 12, 2016 5:04 PM
To: Adrian A. Dimitrov <adrian.dimitrov at efellows.bg>; rancid-discuss at shrubbery.net
Subject: Re: [rancid] Rancid via proxy host

That makes more sense thanks.

So each of those netxms can be configured to act as an ssh bastion/jumphost to tunnel your ssh traffic through to the network devices. The whole scheme can get a touch complex with several moving parts, but as long as you have a pretty diagram laying out the design, it should be easy enough for you and your colleagues to manage.

These things are usually very site-specific so I don't want to get into too much detail, and especially don't want to discuss what ${Joe Random Blogger} did, but essentially it's along these lines:

For each customer, set up ssh forwarding on the netxms machine (ssh -L), one unique port per device. Put those connection details into ~/.ssh/config for each fqdn so that rancid ends up getting to the right place with the normal clogin <fqdn>

This is all pretty standard ssh goodness, the man pages cover it quite extensively.

Of course you also have to make sure the VPN is up if your traffic is going to cross that. And finally you'll be punching holes in customer's network firewalls to make this work so clearing it with the customer is a good idea :-)


On 12/10/2016 15:43, Adrian A. Dimitrov wrote:
> Hello Alan ,
> 
> Thanks for the fast reply! Usually to connect to the devices via ssh we are using VPN (connecting via cisco anyconnect client).
> 
> To clear my thoughts out.
> We are using monitoring system netxms. The server is in our network (linux debian) and for each client we have linux machines (netxms agents) installed (in the clients environment). So the server is communicating with the agents on a specific port to collect the data.  My idea is somehow to use these machines and make the backups through them.
> 
> Is this possible somehow. We found this article http://ingenious-excerpts.blogspot.bg/2013/07/rancid-and-relays-using-usercmd-patch.html , and I tried to configure this, but with no success. 
> 
> Best Regards,
> Adrian Dimitrov
> 
> 
> -----Original Message-----
> From: Rancid-discuss [mailto:rancid-discuss-bounces at shrubbery.net] On 
> Behalf Of Alan McKinnon
> Sent: Wednesday, October 12, 2016 3:12 PM
> To: rancid-discuss at shrubbery.net
> Subject: Re: [rancid] Rancid via proxy host
> 
> Assuming that you have no direct ssh path from your environment to the
> customer's:
> 
> First idea that comes to mind is to use ssh for connecting to all 
> devices, then leverage the ssh proxy/forwarding features configurable 
> in ~/.ssh/config
> 
> Telnet can be more tricky, you might end up having to use a range or ports forwarded to <customer_env>:23 or similar.
> 
> This one statement of yours is nonsensical:
> "For this purpose I will use our monitoring system which has it’s own agents in each customer environment."
> That makes no sense wrt rancid, please elaborate on your thoughts how you reckon this could work? Such as, what connectivity exists between you and the customers?
> 
> 
> 
> 
> On 12/10/2016 13:51, Adrian A. Dimitrov wrote:
>> Hello All ,
>>
>>  
>>
>> I am new to rancid. I am still testing it, but so far is working 
>> perfectly fine for me.
>>
>>  
>>
>> Now what I need is to back up the configuration of devices that are 
>> beyond my network. My idea is to install only one rancid server in 
>> our network and to make and collect the back ups from remote hosts In 
>> the customers environment. For this purpose I will use our monitoring 
>> system which has it’s own agents in each customer environment. How 
>> can I do this? I am using the latest version downloaded from the official site.
>>
>>  
>>
>> Thanks.
>>
>>  
>>
>> Best Regards,
>>
>> Adrian Dimitrov
>>
>> eFellows-Mark-RGB_Sign
>>
>>  
>>
>>
>>
>> _______________________________________________
>> Rancid-discuss mailing list
>> Rancid-discuss at shrubbery.net
>> http://www.shrubbery.net/mailman/listinfo/rancid-discuss
>>
> 
> 
> --
> Alan McKinnon
> alan.mckinnon at gmail.com
> 
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo/rancid-discuss
> 


--
Alan McKinnon
alan.mckinnon at gmail.com



More information about the Rancid-discuss mailing list