I hate bringing this up with openly paranoid types around. Someone just mentioned RSA as an authentication scheme for SSH which is a very good idea when it comes to managing lots of equipment. How many of us just hit "accept and save key" when their SSH client prompts them for it? This act alone can allow ANYONE that could sniff the packets to actually force you to login to _their_ equipment which will just pass on your packets to the equipment on the other side. You will not necessarily be able to notice anything is a miss and will be entering your passwords and commands in plaintext relative to the sniffer. SSH has a very specific purpose and a very specific function, but like anything else, if you don't know the nuances of it, it is nothing mode than a false sense of security. If you aren't worried about sniffers, [in band or out of band] ssh is needless overhead. If you are, you'd better damn well make sure you are doing proper key authentication and that the keys you are saving, in fact, come from your equipment. It also helps to make sure your equipment hasn't been compromised at any point in the exercise. Deepak Jain AiNET -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of fingers Sent: Tuesday, July 31, 2001 9:56 AM To: Stephen J. Wilcox Cc: Mr. James W. Laferriere; nanog@merit.edu Subject: Re: telnet vs ssh on Core equipment , looking for reasons why ? Hi
true, but i would point out that if its your core equipment that you are accessing from your network that sits directly on the core then you should be happy with the fact that no one is eavesdropping and it makes no difference.
not everyone has out-of-band networks for management. Management of devices is sometimes done thousands of miles away. Remember also that this traffic can be sniffed before it gets to the core (yes, ssh is sniffable aswell, but just not as easily, and atleast it's not in plaintext)
so thats my main logic, authentication... i cant understand the big paranoia on people sniffing tho!
unfortunately ssh is just as sniffable if it's an arp spoof, but hopefully it's not as easy for the naughty eavesdropper to get into the right position for that.... --Rob