secure router access

Curtis Villamizar curtis at brookfield.ans.net
Thu May 28 02:53:47 UTC 1998


In message <199805150421.AAA07966 at jekyll.piermont.com>, "Perry E. Metzger" writ
es:
> 
> Michael Dillon writes:
> > On Fri, 15 May 1998, Dean Anderson wrote:
> > 
> > > >If you were using ssh for secure access then the answer would be to find
>  a
> > 
> > > It is just as easy to download a kerberized versions of NCSA telnet or
> > > NiftyTelnet, for the mac or pc.
> > 
> > No it's not. I gave a URL for the Mac and Windows ssh clients; you didn't.
> 
> URL or no, I've played with both kerberized NCSA telnet and SSH --
> anyone who claims that setting up and maintaining a KDC is as easy as
> the "point and shoot" rlogin replacement portion of SSH hasn't really
> tried both possibilities. SSH is far simpler -- its almost foolproof,
> and it requires no infrastructure commitment to run.
> 
> Perry


A medium to large ISP typically has a few hundred employees with
access to a few hundred to a few thousand routers and somewhere around
a few hundred workstations.  (There may be a thousand or more
employees but accounting, etc, don't have acces to the routers and
development and NMS machines).

SSH is easy to set up on your home linux or BSD box but that isn't the
overriding factor when considering which is better for an ISP.

Consider what an ISP has to go through when an employee leaves and
their access to company systems must be terminated.  

With kerberos someone goes to the KDC and sets the expiration on their
kerberos prinicple to the current minute or changes their kerberos
password or both.  In a few minutes their access to all systems is
gone.  Even if they had admin access to the KDC, you can change the
KDC and admin passwords and rebuild the KDC and any secondaries in
well under an hour.  You may have to do a "ksrvutil change" on cron
service tab files they had read access to (these should be few).

With ssh, the ssh key identity can't be revoked.  Instead you need to
find all .slogin files for all the accounts on all the machines and
routers and make sure they aren't listed under an assigned name or a
pseudoname they chose and didn't tell you about (an impossible task),
plus insure that any machine (like their home machine) that they have
access to doesn't appear in any .shosts files.

Given 1,000 machines (for example) which sounds harder to do?  Is the
turnover rate for NOC staff negligible or fairly constant?

Curtis



More information about the NANOG mailing list