SSH server (terminal emulation)

[LynK]

are any of you guys running a centralized SSH server? Curious what products do you like/use... i know a lot of it is preference, and features. So what are you using and why?

[deanwebb]

Does Putty Commander count?

[LynK]

never used it. Im looking for software that manages all connections in one spot. The clients then pull the config down from the server, so everyone has up to date settings, and new locations.

[deanwebb]

Well, we kinda almost have that. We use Putty Commander and have a settings file that we share. If the settings update, we have to update manually.

[LynK]

im just surprised there isnt a software for this kind of thing.

[icecream-guy]

We have a "some flavor of" linux server running as a jump box, does that count?   Runs well

[Otanx]

Does DNS count? All our stuff is in DNS so we just "ssh hostname".

-Otanx

[icecream-guy]

Does DNS count? All our stuff is in DNS so we just "ssh hostname".

-Otanx

that bad juju, if your DNS box gets hacked you are SoL

[Reggle]

I had a network once wwith a Linux jumphost. All device names where in the hosts file, separate from the DNS servers. Also, we could only do SSH and Telnet, nothing more. If we added a device in the network, it was sent to another team or guy that managed the hosts file.
I recommend a central SSH jumphost (and TFTP, and FTP, and SCP,... ) but I don't recommend a hosts file, although 'grep <part-of-name> /etc/hosts' did wonders.

[Otanx]

Does DNS count? All our stuff is in DNS so we just "ssh hostname".

-Otanx

that bad juju, if your DNS box gets hacked you are SoL

I don't know if that is worth not doing it. The benefits I get outweigh any risks. Traceroute shows hostnames for the NOC, SOC gets correct reverse lookups when investigating an IP, I get easy ssh. If my internal DNS gets hacked then we are probably going to be working with laptops and console cables anyway, because who knows what else is compromised. Compared to maintaining host files, or sharing a config file this is easy, works no matter where I log in from, and helps other groups when they are troubleshooting. For that less than 1% of the time DNS isn't working I can guess some IPs, and find what I need with CDP, and route tables.

-Otanx

[wintermute000]

a linux box is the best and easiest way if you want to force everyone to only go through a central mgt point
- leverage in-built multi-user and access permissions,
- can jail users to their /home or shared directories, prevent app installs, restrict commands to telnet/ssh/ping/trace/ftp/tftp/snmp only etc.
- can log everything on top of config logging from devices themselves
- can tie back into central SSO whether via LDAP or AD or whatever
- downsides: no windows tools and if no desktop environment, no GUI

Though 90% of places I've seen just use a RDP box. The proliferation of windows tools / web GUIs / java plugins (HAHAHAHA SECURITY PRODUCTS HAHAHAHHA) makes this the path of least resistance

[GeorgeS]

personal i like more a linux server,  the only disadvantage here is that you will need a second server for gui tools, so this is the reason that rdp server is the most common one.
Now where i work we have a citrix server from where we open all our tools, IE/FF/putty/securecrt/asdm.... also the securecrt uses a shared profile where we have all our devices. Is pretty handy but a bit chaotic. As all the network devices are there from fw/r/sw to voice gateway and who knows what else

[LynK]

I am honestly pretty sad that in this day and age there is not a product for this.

[LynK]

@georges
@wintermute

what GUI tools do you use, and which flavor of linux, we are probably going to use centos

[dlots]

I am kinda pushing for one for emergency use
So if someone takes over a box they can just spam it with SSH requests filling up all the VTY lines

I want to make a SSH server that is the only thing that can access vty line 15 to get around that, so even if someone is spamming the box we can still get in without driving over.