[40040] in North American Network Operators' Group
Re: telnet vs ssh on Core equipment , looking for reasons why ?
daemon@ATHENA.MIT.EDU (David Howe)
Tue Jul 31 13:04:49 2001
Message-ID: <05c301c119e2$a7d14e60$c71121c2@sharpuk.co.uk>
From: "David Howe" <DaveHowe@gmx.co.uk>
To: <nanog@merit.edu>
Date: Tue, 31 Jul 2001 18:02:38 +0100
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Errors-To: owner-nanog-outgoing@merit.edu
> 1) You have legacy equipment that does not support ssh, and/or your
> vendor does not include ssh in every release of code (specifically,
> code you need to run.)
You can normally work around this - worst case, run a null-modem between
that box and the closest box that *does* support SSH, allow normal console
logins on that port....
> 2) Your vendor's ssh authentication creates a secure connection, and
> transfers the password securely, only to then send the password,
> unencrypted, to an authentication server for verification, making
> ssh moot.
Bad design - but again, you can usually work around it. VPN tunnel (or SSH
port forwarding) to the auth server springs to mind (if supported) or a
dedicated OOB mininetwork in the 1918 range just for the authentications.
even legacy 10base2 would be ok for that - it is not as if speed matters for
it. Or just use local logins for each one - I know it is much cleaner for
admin purposes to have a central auth server (add username once, in one
place) but a push-out solution *can* be made to work...
