0

I'm tasked with coming up with a solution for our NOC to implement MFA\secured access on our routers. There are caveats to doing this as TACACS\RADIUS is only supported on the MGMT interface amongst other limitations (I don't want to risk getting locked out of a router if TACACS\RADIUS is being flakey)

With that being said I think a better approach would be a jumpbox that logs all commands. Users would SSH to the jumpbox and authenticate with their AD credentials via RADIUS or something else that supports MFA.

The caveat here is:

  • When you SSH to the router in question all commands\responses should somehow get logged and shipped somewhere, via RADIUS accounting or otherwise. It would be the jumpbox shipping these off, perhaps there's a "special" version of SSH that does this.
  • They should be logged under the user that ran the commands.
NOC_Ninja982134
  • 13
  • 3
  • First you talk about MFA then you went straight to left field and asked about logging all commands? These don't appear to have any relation to each other. What are you actually trying to accomplish? – Michael Hampton Aug 12 '21 at 14:25
  • A RADIUS solution will provide for hooks into MFA via the authentication piece as well as logging of all commands through the accounting piece. – NOC_Ninja982134 Aug 12 '21 at 14:35
  • The only command you'll normallly log is where the admin jumped off to, though. There are ways to log the whole terminal session but that's usually overly noisy, takes up massive amounts of disk, and is unlikely to be what you really need. So trying to push all that through RADIUS accounting sounds insane. – Michael Hampton Aug 12 '21 at 14:39
  • A jumpbox where I can authenticate into it using AD\MFA that also ships all commands off somewhere, including when I use it to SSH in somewhere will suffice (logging the terminal session). – NOC_Ninja982134 Aug 12 '21 at 14:39
  • If you just need to log commands, [that's easy](https://serverfault.com/a/1036183/126632). You can log those and ship them off to a remote machine via any method you wish. – Michael Hampton Aug 12 '21 at 14:43
  • But will it also log when he SSHs somewhere and the output of that. John logs into jumbox, types ls (this is logged), john ssh's into router (the ssh command is logged), john types "System reboot" (this command is ALSO logged) – NOC_Ninja982134 Aug 12 '21 at 14:45
  • 1
    Semantically that's terminal output. That gets a lot more complicated, and as noted in the linked question, I'm not aware of a good solution for that except for `pam_tty_audit`, which does exactly what was shown there. If you can handle that, then go for it. – Michael Hampton Aug 12 '21 at 14:46
  • Thank you sir. I will take it from here. – NOC_Ninja982134 Aug 12 '21 at 14:52

0 Answers0