Discussion:
[rancid] Tunneling Telnet connections
Steve D. Ousley
2009-01-02 12:40:34 UTC
Permalink
Hi All



We manage 2 data centres, and have some switches in the second (unmanned)
data centre that are being backed up from our Rancid box in the primary
(manned) data centre. What we would like though is some secure way to get
the configs from the remote data centre. At the moment, rancid logs in with
Telnet, which is obviously unsecure, and could be sniffed to gain our
password.



Unfortunately due to these being Cisco 2960's (without the K9 bundle) we
cannot setup SSH to access these remotely, and for the 3 or 4 switches we
have in the remote centre (at the moment) it is not worth setting up another
rancid box for that.



I would like to know the best way to secure this, either maybe through an
SSH tunnel to a machine in the remote data centre or any other ideas anyone
has?



Regards



Steve Ousley - SO620-RIPE

Nuco Technologies Ltd

<mailto:***@host-it.co.uk> ***@host-it.co.uk

<http://www.nucotechnologies.com/> www.nucotechnologies.com

Tel. 0870 165 1300



Nuco Technologies Ltd is a company registered in England and Wales
with company number 04470751
alex dekker
2009-01-02 13:59:49 UTC
Permalink
Post by Steve D. Ousley
I would like to know the best way to secure this, either maybe through an
SSH tunnel to a machine in the remote data centre or any other ideas anyone
has?
You could set up an OpenVPN tunnel, which I'm sure you'd find useful for other
things too.

http://www.theregister.co.uk/2008/09/01/openvpn_primer/

http://en.wikipedia.org/wiki/OpenVPN

alexd
Daniel Epstein
2009-01-02 13:13:47 UTC
Permalink
An SSH tunnel would do it, but I'd imagine you have a firewall at each
location. If both of these devices support IPSec VPNs, you could also
setup a LAN to LAN VPN between sites.

Daniel G. Epstein (mobile)
Post by Steve D. Ousley
Hi All
We manage 2 data centres, and have some switches in the second
(unmanned) data centre that are being backed up from our Rancid box
in the primary (manned) data centre. What we would like though is
some secure way to get the configs from the remote data centre. At
the moment, rancid logs in with Telnet, which is obviously unsecure,
and could be sniffed to gain our password.
Unfortunately due to these being Cisco 2960’s (without the K9 bundle
) we cannot setup SSH to access these remotely, and for the 3 or 4 s
witches we have in the remote centre (at the moment) it is not worth
setting up another rancid box for that.
I would like to know the best way to secure this, either maybe
through an SSH tunnel to a machine in the remote data centre or any
other ideas anyone has?
Regards
Steve Ousley - SO620-RIPE
Nuco Technologies Ltd
www.nucotechnologies.com
Tel. 0870 165 1300
Nuco Technologies Ltd is a company registered in England and Wales
with company number 04470751
_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
Steve D. Ousley
2009-01-05 09:59:39 UTC
Permalink
Hi Guys

An update to my predicament. This is all sorted. A colleague of mine suggested this method minutes before you Daniel. Once I had this idea, it was a simple case of re-setting the routers up to use the tunnel.

Fortunately, I have a wrapper script for rancid, so that made things even easier for me, but all I did was the following:

Add a new ssh line for each router to the top of my wrapper script such as:

ssh -L 2024:<router_ip>:23 <user>@<bounce_host> -Nf

where <bounce_host> is the host that we are using in the remote location so that at least the part over the internet is done via ssh (The remote location is secured with VLAN’s etc, so that is not a problem).

Then I edited my .cloginrc to set each router up as:

add method <router> {telnet:2024}

and also I added to /etc/hosts a line:

127.0.0.1 <router>

With both the .cloginrc, and /etc/hosts file, this meant that the router’s name can still be the name of the router, but will use the SSH tunnel. Finally, editing the telnet access list on the switch, allowed this to all work.

Many thanks for the suggestions, and fortunately, I didn’t need help setting the SSH tunnel method up :D

Steve

From: Daniel Epstein [mailto:***@rootlike.com]
Sent: 02 January 2009 13:14
To: Steve D. Ousley
Cc: <rancid-***@shrubbery.net>
Subject: Re: [rancid] Tunneling Telnet connections

An SSH tunnel would do it, but I'd imagine you have a firewall at each location. If both of these devices support IPSec VPNs, you could also setup a LAN to LAN VPN between sites.

Daniel G. Epstein (mobile)

On Jan 2, 2009, at 6:40, "Steve D. Ousley" <***@host-it.co.uk<mailto:***@host-it.co.uk>> wrote:
Hi All

We manage 2 data centres, and have some switches in the second (unmanned) data centre that are being backed up from our Rancid box in the primary (manned) data centre. What we would like though is some secure way to get the configs from the remote data centre. At the moment, rancid logs in with Telnet, which is obviously unsecure, and could be sniffed to gain our password.

Unfortunately due to these being Cisco 2960’s (without the K9 bundle) we cannot setup SSH to access these remotely, and for the 3 or 4 switches we have in the remote centre (at the moment) it is not worth setting up another rancid box for that.

I would like to know the best way to secure this, either maybe through an SSH tunnel to a machine in the remote data centre or any other ideas anyone has?

Regards

Steve Ousley - SO620-RIPE
Nuco Technologies Ltd
***@host-it.co.uk<mailto:***@host-it.co.uk>
www.nucotechnologies.com<http://www.nucotechnologies.com/>
Tel. 0870 165 1300

Nuco Technologies Ltd is a company registered in England and Wales
with company number 04470751

_______________________________________________
Rancid-discuss mailing list
Rancid-***@shrubbery.net<mailto:Rancid-***@shrubbery.net>
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss

Oliver Gorwits
2009-01-02 15:00:42 UTC
Permalink
Post by Steve D. Ousley
We manage 2 data centres, and have some switches in the second
(unmanned) data centre that are being backed up from our Rancid box in
the primary (manned) data centre. What we would like though is some
secure way to get the configs from the remote data centre.
You might be able to SSH to a router in your remote data centre,
then Telnet from there. So at least the hop across the Internet is SSH.

Can't recall if this is a feature in RANCID or a patch previously
given on this list though, sorry, but it sounds familar.

regards,
oliver.
- --
Oliver Gorwits, Network and Telecommunications Group,
Oxford University Computing Services
Loading...