[nsp] permit vty ssh, no telnet for some users ?
Richard Danielli
richard.danielli at esubnet.com
Mon Apr 26 21:31:05 EDT 2004
Although we all seem to agree that simply using SSH is the way to go, here
is another possible solution - but it is a real stretch on practicality
Feed the connectivity for access through another router with user based ACLs
sourced from a radius server thus providing the username discrimination you
are looking for. Of course the end point infrastructure box needs to have
ACLs allowing only certain access from the MAC address of the
non-infrastructure box. I would say this is a kludge not a solution as the
number of single points of failure or the cost of deployment seems
prohibitive - IMHO
Best of luck...
-rd-
--
Richard Danielli
Founder/President
eSubnet Enterprises Inc.
TORONTO, ON
Canada
(416) 203-5253
c: (416) 525-6148
http://www.eSubnet.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> -----Original Message-----
> From: Hudson Delbert J Contr 61 CS/SCBN
> [mailto:Delbert.Hudson at LOSANGELES.AF.MIL]
> Sent: Monday, April 26, 2004 3:09 PM
> To: 'Richard Danielli'; cisco-nsp at puck.nether.net
> Subject: RE: [nsp] permit vty ssh, no telnet for some users ?
>
>
>
>
>
> good answer.
>
> this still doesnt address the concept of restricting
> the access by a specific user not an ip address?
>
> the rsvp to just use ssh would be the most prudent.
>
> still, the issue of user-based control is not present in this
> solution.
>
> the solution exists on the clients not on infra-structure boxes which
> by rights ought not to have perofm this type operation.
>
> let the system admins do it as they are the implementors of
> data access policy.
>
> /* piranha */
>
More information about the cisco-nsp
mailing list