As of ComOS 3.5, you can set up !root-equvialent accounts that are
authenticated via RADIUS, and thus use SecureID out of the box or hack
whatever OTP scheme you prefer into radiusd. You can't disable the !root
telnet login AFAIK, but you can of course set a really complex password
and never use it...
>I'd like to block access to the ether0 port for all connections except
>those from our local ISP network, were we geeks login via ssh. That
>way the password would only travel across our LAN segment clear-text.
>If the PMconsole password passes in the clear, I'd like to block this
>to from non-LAN hosts.
Using this as ether0.in will prevent *all* traffic to the PM itself
except from the designated (sub)net on the Ethernet interface:
permit 111.222.111.0/24 111.222.111.222/32
deny 0.0.0.0/0 111.222.111.222/32
permit
- where 111.222.111.0/24 is the "trusted" network and 111.222.111.222
the IP address on the Ethernet interface, of course. Note that it will
also prevent at least TCP connections *from* the PM (e.g. "shell
logins") to anywhere but the designated net (the "return" packets are
blocked). Also, you may want to use this filter for all your users too
(you can skip the first rule though), or they can still telnet etc to
the PM (as the packets aren't coming in via ether0).
--Per Hedeland
per@erix.ericsson.se