On Thu, Jul 02, 2015 at 12:30:47PM -0400, Paul Heinlein wrote:
If your admins are comfortable with serial consoles, a concentrator like those available from Digi or WTI can offer fairly robust access controls; they can also be set to honor SSH keys rather than passwords, which may help increase security.
I've used those for devices that were fairly dumb, but for servers it can be nicely cheaper to use serial-over-ipmi plus conman for that purpose. It's necessary to log and monitor the serial consoles, there are a variety of OOPses and BUGs and whatnot that only appear there. I've been using 'conman' for this purpose.
I totally agree with you about having a separate admin-only network. It's not that expensive to build one up using dumb switches.
-- greg