![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
rmdi am pondering a technical IT config management best-practices problem. I'll put it behind the cut because a lot of you really don't care.
so, i've got a bunch of network devices. some of them are reachable via ssh, and some by telnet. all of them are reachable on their console by telnetting to a console server.
the devices, and the console server, all authenticate via RSA's securid two factor authentication.
most of my network devices let me send a magic SNMP string that tell the devices "hey, tftp your config over here".
but some of them don't. those are the troublesome ones.
the easiest way is for me to set up a static password that's good for half an hour or so per day, and run my "login and grab the config" scripts with those. except for the fact that it would be allowing something with a static password to log into my network gear. even time-restricted, that's more of a big flapping hole than i'm comfortable with.
what are other people doing for config management on network devices that don't support (either by design or by "to be fixed in a later version of code" bugs) snmp-triggered tftp?
EDIT: the problem i am trying to solve is how to get automated periodic downloads of configs from these machines, when i can't authenticate with securid tokens (since that requires a human) and static passwords are pretty much too insecure.
this is the sort of thing that doesn't seem to make it into the "best practices" docs i've found so far, but i'll likely continue pouring over docs today...
thoughts? suggestions?
so, i've got a bunch of network devices. some of them are reachable via ssh, and some by telnet. all of them are reachable on their console by telnetting to a console server.
the devices, and the console server, all authenticate via RSA's securid two factor authentication.
most of my network devices let me send a magic SNMP string that tell the devices "hey, tftp your config over here".
but some of them don't. those are the troublesome ones.
the easiest way is for me to set up a static password that's good for half an hour or so per day, and run my "login and grab the config" scripts with those. except for the fact that it would be allowing something with a static password to log into my network gear. even time-restricted, that's more of a big flapping hole than i'm comfortable with.
what are other people doing for config management on network devices that don't support (either by design or by "to be fixed in a later version of code" bugs) snmp-triggered tftp?
EDIT: the problem i am trying to solve is how to get automated periodic downloads of configs from these machines, when i can't authenticate with securid tokens (since that requires a human) and static passwords are pretty much too insecure.
this is the sort of thing that doesn't seem to make it into the "best practices" docs i've found so far, but i'll likely continue pouring over docs today...
thoughts? suggestions?
no subject
Date: 2005-07-29 05:52 pm (UTC)I should probably ask you in person some time how SysID works. I am rather fascinated by it.
no subject
Date: 2005-07-29 06:00 pm (UTC)I should probably ask you in person some time how SysID works.
there's a secret number that exists on both your keyfob and on the securid server. every minute, it generates a new number based on that secret number and the current time. so the server knows what number you should have every minute and it can say with some confidence that you have the physical token with you ("something you have"). the PIN that you type in with that is the "something you know" that proves it's you holding the token fob.
"two factor authentication" generally means "something you have" plus "something you know".
another example is your ATM card and the PIN.
no subject
Date: 2005-07-29 06:53 pm (UTC)Ok, so back to the problem at hand...you need a secure method to copy the config file to be stored on another machine in the same network. The roadblock is authentication, which is what is needed for it to pass the file outward and check in on the other machine. The problem doesn't lie on the individual machines themselves, necessarily, it's on whichever machine you end up storing the data - assuming a push technology instead of a pull.