![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
rmdi am pondering a technical IT config management best-practices problem. I'll put it behind the cut because a lot of you really don't care.
so, i've got a bunch of network devices. some of them are reachable via ssh, and some by telnet. all of them are reachable on their console by telnetting to a console server.
the devices, and the console server, all authenticate via RSA's securid two factor authentication.
most of my network devices let me send a magic SNMP string that tell the devices "hey, tftp your config over here".
but some of them don't. those are the troublesome ones.
the easiest way is for me to set up a static password that's good for half an hour or so per day, and run my "login and grab the config" scripts with those. except for the fact that it would be allowing something with a static password to log into my network gear. even time-restricted, that's more of a big flapping hole than i'm comfortable with.
what are other people doing for config management on network devices that don't support (either by design or by "to be fixed in a later version of code" bugs) snmp-triggered tftp?
EDIT: the problem i am trying to solve is how to get automated periodic downloads of configs from these machines, when i can't authenticate with securid tokens (since that requires a human) and static passwords are pretty much too insecure.
this is the sort of thing that doesn't seem to make it into the "best practices" docs i've found so far, but i'll likely continue pouring over docs today...
thoughts? suggestions?
so, i've got a bunch of network devices. some of them are reachable via ssh, and some by telnet. all of them are reachable on their console by telnetting to a console server.
the devices, and the console server, all authenticate via RSA's securid two factor authentication.
most of my network devices let me send a magic SNMP string that tell the devices "hey, tftp your config over here".
but some of them don't. those are the troublesome ones.
the easiest way is for me to set up a static password that's good for half an hour or so per day, and run my "login and grab the config" scripts with those. except for the fact that it would be allowing something with a static password to log into my network gear. even time-restricted, that's more of a big flapping hole than i'm comfortable with.
what are other people doing for config management on network devices that don't support (either by design or by "to be fixed in a later version of code" bugs) snmp-triggered tftp?
EDIT: the problem i am trying to solve is how to get automated periodic downloads of configs from these machines, when i can't authenticate with securid tokens (since that requires a human) and static passwords are pretty much too insecure.
this is the sort of thing that doesn't seem to make it into the "best practices" docs i've found so far, but i'll likely continue pouring over docs today...
thoughts? suggestions?
![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
no subject
Date: 2005-07-28 04:15 pm (UTC)