-----Original Message----- From: Edward B. Dreger [mailto:eddy+public+spam@noc.everquick.net]
Correct. One must shell out more money for a bigger feature set to obtain SSH. I don't recall specifics off the top of my head, and don't have a javascript-cable machine handy to use Feature Navigator[*], but certain { feature sets | trains } only support SSHv1.
I don't see why they can't roll it into every ios that runs on a router capable of ssh. Ssh and sshd on my linux system barely break 500k compiled... And there's a TON of functionality in there that isn't required on a router. It would seem that you could get ssh put into these code trains in under 500k ... Personally, I like having a little wiggle room in the flash ... Putting an image on there that occupies the entire flash is a bad thing...
[*] Quick gripe: Did anyone at Cisco ever consider that people might like to use Feature Navigator without javascript? What's next? Mandatory Flash Player?
I concur.. Mandatory Javascript sucks... Esp when Mozilla and Firefox have problems viewing the pages... Cisco's site became decidedly un-useful when they switched it over to this new design...
Eddy
Jason Frisvold Penteledata
On Mon, 07 Jun 2004 22:31:59 EDT, Jason Frisvold <friz@corp.ptd.net> said:
I don't see why they can't roll it into every ios that runs on a router capable of ssh. Ssh and sshd on my linux system barely break 500k compiled... And there's a TON of functionality in there that isn't required on a router. It would seem that you could get ssh put into these code trains in under 500k ...
OK.. Say you can get it into the code train for 200K. What do you do with all those routers that have only 100K or 125K of space left in the flash (if that), and the flash is NOT going to get any bigger without massive abuse of a soldering iron because not all the needed address lines are brought out to the flash chip (a fine tactic dating back decades - I remember seeing a 16K ROM nailed to the top quarter of the 64K address space, and only 14 address lines brought to the chip - it was nailed to the top 16K by feeding A14 and A15 to an AND gate which fed the 'Chip Select' pin...)
JF> Date: Mon, 7 Jun 2004 22:31:59 -0400 JF> From: Jason Frisvold JF> I don't see why they can't roll it into every ios that runs JF> on a router capable of ssh. Ssh and sshd on my linux system JF> barely break 500k compiled... And there's a TON of JF> functionality in there that isn't required on a router. It JF> would seem that you could get ssh put into these code trains JF> in under 500k ... Dynamic linking might be cheating. Static linking might be pessimistic. Probably best to compare BSD "crunchgen" images with and without ssh/sshd. (2MB total for statically-linked ssh and sshd as I compile it.) JF> Personally, I like having a little wiggle room in the JF> flash... Putting an image on there that occupies the entire JF> flash is a bad thing... You haven't lived life to its fullest until you need to load a boot image remotely via YModem. ;) Eddy -- EverQuick Internet - http://www.everquick.net/ A division of Brotsman & Dreger, Inc. - http://www.brotsman.com/ Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita _________________________________________________________________ DO NOT send mail to the following addresses : blacklist@brics.com -or- alfra@intc.net -or- curbjmp@intc.net Sending mail to spambait addresses is a great way to get blocked.
On Tue, Jun 08, 2004, Edward B. Dreger wrote:
JF> Date: Mon, 7 Jun 2004 22:31:59 -0400 JF> From: Jason Frisvold
JF> I don't see why they can't roll it into every ios that runs JF> on a router capable of ssh. Ssh and sshd on my linux system JF> barely break 500k compiled... And there's a TON of JF> functionality in there that isn't required on a router. It JF> would seem that you could get ssh put into these code trains JF> in under 500k ...
Dynamic linking might be cheating. Static linking might be pessimistic. Probably best to compare BSD "crunchgen" images with and without ssh/sshd. (2MB total for statically-linked ssh and sshd as I compile it.)
A friend of mine here at uni wrote a much, much smaller sshd replacement he calls "dropbear". Its much, much smaller than sshd. Much smaller. http://matt.ucc.asn.au/dropbear/dropbear.html I think its very very cute. Perhaps some vendors with small memory footprints would consider implementing this kind of tiny sshd? Adrian -- Adrian Chadd I'm only a fanboy if <adrian@creative.net.au> I emailed Wesley Crusher.
Adrian Chadd wrote:
A friend of mine here at uni wrote a much, much smaller sshd replacement he calls "dropbear". Its much, much smaller than sshd. Much smaller.
http://matt.ucc.asn.au/dropbear/dropbear.html
I think its very very cute. Perhaps some vendors with small memory footprints would consider implementing this kind of tiny sshd?
Several third party firmwares for the linksys wrt54g wireless AP + "router" (which, of course, is owned by brand C) implement sshd using dropbear. For example, the ones at sveasoft, and at h.vu.wifi-box.net srs -- suresh ramasubramanian suresh@outblaze.com gpg EDEDEFB9 manager, security and antispam operations, outblaze ltd
On Tue, 8 Jun 2004, Suresh Ramasubramanian wrote:
Several third party firmwares for the linksys wrt54g wireless AP + "router" (which, of course, is owned by brand C) implement sshd using dropbear. For example, the ones at sveasoft, and at h.vu.wifi-box.net
How do you know what you get in the box is the same as what was shipped from the factory? Or was it just re-sealed and put back on the shelf with an altered configuration? http://www.securityfocus.com/archive/1/364977 If you buy your network equipment off Ebay, what are you really getting? Does it come with hitchhiking firmware pre-installed? The power of the Internet means the bad guys don't need to care who buys the tampered equipment, because it can "call home" and tell the bad guy where it ended up.
Several third party firmwares for the linksys wrt54g wireless AP + "router" (which, of course, is owned by brand C) implement sshd using dropbear. For example, the ones at sveasoft, and at h.vu.wifi-box.net
How do you know what you get in the box is the same as what was shipped from the factory? Or was it just re-sealed and put back on the shelf with an altered configuration?
http://www.securityfocus.com/archive/1/364977
If you buy your network equipment off Ebay, what are you really getting? Does it come with hitchhiking firmware pre-installed? The power of the Internet means the bad guys don't need to care who buys the tampered equipment, because it can "call home" and tell the bad guy where it ended up.
and, of course, there are no back doors in code directly from vendors, government standards (can you say clipper), ... [sounds of luftswineza] building from certifiable open source that has been inspected by many is the only half-credible scheme of which i am aware. randy
On Mon, 7 Jun 2004, Randy Bush wrote:
building from certifiable open source that has been inspected by many is the only half-credible scheme of which i am aware.
More flaws foul security of open-source repository By Robert Lemos Staff Writer, CNET News.com http://news.com.com/2100-7344-5229750.html Security researchers have found at least six more flaws in the open-software world's most popular program for maintaining code under development. [...] The major projects using the program were notified of the issues May 28. On Wednesday, the security holes were publicly announced. Since the topic of pre-notification came up during the NANOG nsp-sec BOF, should CVS have pre-notified selected major users of the software before the public announcement? Did this create favoritism, or should they have held off and told everyone about the vulnerability at the same time with the public announcement.
Sean Donelan wrote:
How do you know what you get in the box is the same as what was shipped from the factory? Or was it just re-sealed and put back on the shelf with an altered configuration?
1. Buy a linksys box off the shelf from radio shack or wherever [factory sealed] 2. Download the latest firmware and/or its source code from ftp.linksys.com, or the wifi-box.net site. 3. Build it yourself or 4. As these two I mentioned (sveasoft / wifi-box) are open source, trust the developer community to some extent when you download firmware from their site. srs -- suresh ramasubramanian suresh@outblaze.com gpg EDEDEFB9 manager, security and antispam operations, outblaze ltd
On Mon, 2004-06-07 at 23:06, Edward B. Dreger wrote:
Dynamic linking might be cheating. Static linking might be pessimistic. Probably best to compare BSD "crunchgen" images with and without ssh/sshd. (2MB total for statically-linked ssh and sshd as I compile it.)
Ooops.. forgot that bit :)
You haven't lived life to its fullest until you need to load a boot image remotely via YModem. ;)
Been there, Done that.. Is there a T-Shirt? :)
Eddy
-- Jason H. Frisvold PenTeleData
participants (7)
-
Adrian Chadd -
Edward B. Dreger -
Jason Frisvold -
Randy Bush -
Sean Donelan -
Suresh Ramasubramanian -
Valdis.Kletnieks@vt.edu