[40049] in North American Network Operators' Group
RE: telnet vs ssh on Core equipment , looking for reasons why
daemon@ATHENA.MIT.EDU (Rubens Kuhl Jr.)
Tue Jul 31 15:52:08 2001
Message-Id: <5.1.0.14.0.20010731164301.02ad43d0@pop3.uol.com.br>
Date: Tue, 31 Jul 2001 16:55:03 -0300
To: "'nanog@merit.edu'" <nanog@merit.edu>
From: "Rubens Kuhl Jr." <rkuhljr@uol.com.br>
In-Reply-To: <B3AA75A19260D3118F3B00902798992B023C8D79@mail2.thestar.ca>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Errors-To: owner-nanog-outgoing@merit.edu
SSH has one advantage to one time passwords, in providing a secure path to
see/change the configuration. Parameters like ACLs, communities and even
interface descriptions (wanna know who the clients of your competitor are
?) are travelling in clear on the network... even clear-text passwords with
vty access controls and routing protocols security can resist to sniffing
(know the password, can't use it), but information is always useful.
Rubens Kuhl Jr.
>Here's an alternative that might work. Authenticate via Radius which in
>turn proxies the authentication request to a SecurId server. With one time
>passwords, who cares if they get sniffed? You also get the benefit of
>having your Radius server being able to do accounting/access control on
>the sessions as well.
