What’s in a number? A port by any other number would secure shell as sweet.
Oh, the glorious, halcyon days of the Internet circa 1995! Pre-browser wars, a nascent WWW under construction by an army of animated digging men, Usenet buzzing with spirited but netiquette-proper debate, and… Telnet. Okay, perhaps the passage of time has tinted my glasses a bit rosy.
Nevertheless, Tatu Ylonen’s post on how his brand new Secure Shell protocol came to be assigned port 22 does make for nostalgic reading. The tale is short and sweet (spoiler alert): having written SSH as a secure replacement for Telnet (port 23) and FTP (port 21), Tatu saw that the port between those two was unclaimed. So he asked IANA, and had it allocated – the very next day no less.
SSH in reverse
Opengear products make extensive use of SSH to serve secure remote serial and USB port access over the network. This common console server feature is sometimes called “reverse SSH”, after the venerable “reverse Telnet” feature of the early serial terminal servers.
Why “reverse”? As Opengear CTO Marcio Saito explains, terminal servers were originally designed to connect serial-only dumb terminals out to network servers via Telnet. As dumb terminals went the way of the dodo, users reversed the application – allowing clients to connect in from the network to the serial console ports of servers and other equipment.
Getting straight to the endpoint
While you can use TCP port 22 to access the Opengear CLI and the consoles of its serially-connected devices via the portmanager chooser menu, it’s often convenient to SSH directly to a console with minimal interaction with the intermediary console server.
One way to accomplish this is by connecting via an SSH high port. To calculate the high port, take the base TCP port for the SSH console service (3000 by default) and add the Opengear serial port number that the console is connected to (say, port 6). Then use your SSH client to connect to TCP port 3006, rather than the usual TCP port 22. Voilà, direct reverse SSH to port 6.
Scale it out with DNS
But what if you want direct access to large numbers of consoles, like 96 consoles via a single CM7196A console server? Or hundreds or thousands of consoles via a fleet of console servers in a lab or data center? Memorizing hundreds of magic IP and high port number combinations is hardly convenient.
Thankfully, DNS can help. Opengear products have a useful feature that lets you assign unique IP addresses to an individual console ports. Say we have managed switch switch01, with its serial console connected to Opengear port 6. Assign 192.168.1.206 to serial port 6, SSH to 192.168.1.206 on the usual TCP port 22 and you’re connected to switch01’s console.
Now to make this setup really shine, create an easy-to-remember name for 192.168.1.206 in your corporate DNS server. A useful convention may be to create an out-of-band DNS name based on its regular, in-band DNS name. For example, if switch01’s main address is switch01.mgmt.dc.corp.com, resolve switch01-con.mgmt.dc.corp.com to 192.168.1.206.
Now when you need an out-of-band console to that troublesome switch, just add -con to its hostname and SSH in. Sweet!