Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: telnet vs ssh on Core equipment , looking for reasons why ?

  • From: Deepak Jain
  • Date: Tue Jul 31 12:58:58 2001


I hate bringing this up with openly paranoid types around. Someone just
mentioned RSA as an authentication scheme for SSH which is a very good idea
when it comes to managing lots of equipment.

How many of us just hit "accept and save key" when their SSH client prompts
them for it? This act alone can allow ANYONE that could sniff the packets to
actually force you to login to _their_ equipment which will just pass on
your packets to the equipment on the other side.

You will not necessarily be able to notice anything is a miss and will be
entering your passwords and commands in plaintext relative to the sniffer.

SSH has a very specific purpose and a very specific function, but like
anything else, if you don't know the nuances of it, it is nothing mode than
a false sense of security.

If you aren't worried about sniffers, [in band or out of band] ssh is
needless overhead.  If you are, you'd better damn well make sure you are
doing proper key authentication and that the keys you are saving, in fact,
come from your equipment. It also helps to make sure your equipment hasn't
been compromised at any point in the exercise.

Deepak Jain
AiNET




-----Original Message-----
From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of
fingers
Sent: Tuesday, July 31, 2001 9:56 AM
To: Stephen J. Wilcox
Cc: Mr. James W. Laferriere; nanog@merit.edu
Subject: Re: telnet vs ssh on Core equipment , looking for reasons why ?



Hi

> true, but i would point out that if its your core equipment that you are
> accessing from your network that sits directly on the core then you should
> be happy with the fact that no one is eavesdropping and it makes no
> difference.

not everyone has out-of-band networks for management. Management of
devices is sometimes done thousands of miles away. Remember also that this
traffic can be sniffed before it gets to the core (yes, ssh is sniffable
aswell, but just not as easily, and atleast it's not in plaintext)

> so thats my main logic, authentication... i cant understand the big
> paranoia on people sniffing tho!

unfortunately ssh is just as sniffable if it's an arp spoof, but hopefully
it's not as easy for the naughty eavesdropper to get into the right
position for that....

--Rob






Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.