[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Sticky authentication/authorisation issues




On Thu, 7 Jul 2005, Brian May wrote:

> note: changed subject
>
>>>>>> "Brandon" == Brandon S Allbery KF8NH <allbery@ece.cmu.edu> writes:
>
>    Brandon> On Thu, 2005-07-07 at 09:20 +1000, Brian May wrote:
>    >> Is there anything you can do in telnet that you can't do in
>    >> ssh?
>
>    Brandon> Recover when sshd is hosed / not running.  Backup access
>    Brandon> mechanisms matter.
>
> Good point. Just been in a situation recently where somebody upgraded
> ssh on a remote server and accidently turned off password
> authentication. It become difficult to log in again and fix the
> problem.

Quite recently i was involved in setting up serial console access.
(To provide out-of-band management.)

Basically we configured terminal servers to reverse telnet and
crosslinked them to some Unix boxen running Conserver:
http://www.conserver.com/

The "console" client program SSL encripts its connection to the
conserver, which in turn uses pam_krb5 to autenticate against a KDC.
Ofcource this does ask for a password, which could be inconvenient for
day-to-day admin tasks, but _normally_ ssh is used directly.

In case Kerberos is down (aswell), one can ssh into the conserver
machine, and fireoff the console client to connect over loopback.

-Menno.