telnet vs ssh on Core equipment , looking for reasons why ?

Deepak Jain deepak at ai.net
Tue Jul 31 17:00:31 UTC 2001



I hate bringing this up with openly paranoid types around. Someone just
mentioned RSA as an authentication scheme for SSH which is a very good idea
when it comes to managing lots of equipment.

How many of us just hit "accept and save key" when their SSH client prompts
them for it? This act alone can allow ANYONE that could sniff the packets to
actually force you to login to _their_ equipment which will just pass on
your packets to the equipment on the other side.

You will not necessarily be able to notice anything is a miss and will be
entering your passwords and commands in plaintext relative to the sniffer.

SSH has a very specific purpose and a very specific function, but like
anything else, if you don't know the nuances of it, it is nothing mode than
a false sense of security.

If you aren't worried about sniffers, [in band or out of band] ssh is
needless overhead.  If you are, you'd better damn well make sure you are
doing proper key authentication and that the keys you are saving, in fact,
come from your equipment. It also helps to make sure your equipment hasn't
been compromised at any point in the exercise.

Deepak Jain
AiNET




-----Original Message-----
From: owner-nanog at merit.edu [mailto:owner-nanog at merit.edu]On Behalf Of
fingers
Sent: Tuesday, July 31, 2001 9:56 AM
To: Stephen J. Wilcox
Cc: Mr. James W. Laferriere; nanog at merit.edu
Subject: Re: telnet vs ssh on Core equipment , looking for reasons why ?



Hi

> true, but i would point out that if its your core equipment that you are
> accessing from your network that sits directly on the core then you should
> be happy with the fact that no one is eavesdropping and it makes no
> difference.

not everyone has out-of-band networks for management. Management of
devices is sometimes done thousands of miles away. Remember also that this
traffic can be sniffed before it gets to the core (yes, ssh is sniffable
aswell, but just not as easily, and atleast it's not in plaintext)

> so thats my main logic, authentication... i cant understand the big
> paranoia on people sniffing tho!

unfortunately ssh is just as sniffable if it's an arp spoof, but hopefully
it's not as easy for the naughty eavesdropper to get into the right
position for that....

--Rob





More information about the NANOG mailing list