On Sun, 6 Jun 2004, Henning Brauer wrote:
this is not nearly the same league as (proper) ssh.
It's quite sufficient for protecting ones routers. Also the "authentication" itself is (should be) Triple-DES protected. The DES encryption for the data exchange isnt enough to guard sensitive data, however it's still more than enough to stop real-time MITM. More recent Kerberos implementations support AES-256/SHA-1 HMAC enctypes and hopefully kerberised telnet will also gain AES-256 encryption support at some point.
complaining that cisco charges extra for such a critical component is exactly the right thing to do; it is fucking scary.
Right, but hand-waving about the scariness of not shipping ssh doesnt solve the immediate problem of securing network console access to ones infrastructure. And, contrary to the popular belief on this list, it *is* quite possible to secure access with the *standard* IOS images on nearly all Cisco routers shipped for at least the last few years. Anyone who had active directory on their network can implement this easily enough. Even those who dont, setting up a KDC is pretty easy.
every damn network device which used to have telnet should ship with ssh, it's free.
However, it's not very well specified yet.
well, I understand that cisco has problems with their 3$ CPUs with the crypto load, bit that's an extremely poor excuse.
Right, but on the other hand lack of ssh in ones IOS images is *not* an excuse to use plain-text telnet. regards, -- Paul Jakma paul@clubi.ie paul@jakma.org Key ID: 64A2FF6A warning: do not ever send email to spam@dishone.st Fortune: This novel is not to be tossed lightly aside, but to be hurled with great force. -- Dorothy Parker