The only other means of avoiding clear text passwords that I know of is by trusting rsh access from other admin host(s). Although this poses another security concern if your admin host(s) are compromised.
Also, the FilerView web admin program will allow password-less access from any machine(s) listed in the "telnet.hosts" option. This poses the same security concern if the machine(s) in "telnet.hosts" are compromised. I've heard that ONTAP may eventually support SSL for this - anyone from NTAP want to officially comment?
Both of these password-less schemes also have the disadvantage of sending the body of the session in the clear. If the data in your administrative session(s) are considered sensitive as well, neither may work for you.
SecureAdmin actually works quite well with a standard ssh client, hiding both the password and the body of the session. My guess is that an SSL-enabled FilerView, if ever created, would be packaged with ssh in the SecureAdmin license.
You can use "useradmin" to create multiple administrative accounts, but unfortunately they are all root equivalents. It would be really handy if parts of the OS were ACL'd off so that each administrative account could have custom defined access to the OS. This would allow some users to be able to create CIFS shares and modify quotas, but not bounce the machine. *HINT* to dl-toasters@netapp.com *HINT* =)
-- Jeff
-- ---------------------------------------------------------------------------- Jeff Krueger E-Mail: jeff@qualcomm.com Senior Engineer Phone: 858-651-6709 NetApp Filers / UNIX Infrastructure Fax: 858-651-6627 QUALCOMM, Inc. IT Engineering Web: www.qualcomm.com
On Wed, Nov 29, 2000 at 08:06:27PM -0800, Villa, Tony wrote:
I had a question for this group. My company just started to install Filers on our network and I was wandering if there are any products that you use to connect to the Filer to replace the standard telnet command. I know Network Appliance sells SecureAdmin but I was wandering if there are any others out there.
Our security group is concerned about using telnet since any passwords that is send is send in clear text.
Any suggestions are welcome also if SecureAdmin is being used any input on it would be appreciated.
Tony Villa Sr. Network Specialist ISTS/ITUSS/DC System Server Support Pacific Gas and Electric Company 925-779-7771 AEV1@PGE.COM