This is going to sound mean, but it isn't intended to be :) Cisco's documentation on Kerberized telnet is actually pretty darn good. It's a three or four-step process. The docs even include sample KDC configs. Documentation for 11.2 is in the 'Security Configuration Guide' section on 'Configuring Network Access Security,' 'Establishing Kerberos-Authenticated Server-Client System.' Brian At 10:24 PM 5/8/98 -0500, Sam Birch wrote:
Not that I've done it, but you can use Kerberos to remotely manage a Cisco, giving you an encrypted telnet. In fact, does anyone have any pointers about how?
On Mon, 11 May 1998, Brian Moore wrote:
This is going to sound mean, but it isn't intended to be :)
Cisco's documentation on Kerberized telnet is actually pretty darn good.
So what do you do when you're at a conference, your laptop has been stolen and the cell phone rings? If you were using ssh for secure access then the answer would be to find a machine with a web browser, go to http://www.datafellows.com and download the 30-day free trial version of the Windows or Mac ssh client as appropriate, and, voila!, you have secure access to your network. But, alas, if you are using a Cisco router, you cannot get in directly but must instead use a UNIX host as a proxy, either to get access to a backdoor network or to get to a Kerberized telnet client. It would be nicer if Cisco would support sshd but I suppose that would make the PCMCIA flash cards into munitions that are illegal to export... -- Michael Dillon - Internet & ISP Consulting Memra Communications Inc. - E-mail: michael@memra.com http://www.memra.com - *check out the new name & new website*
At 4:29 AM -0400 5/14/98, Michael Dillon wrote:
So what do you do when you're at a conference, your laptop has been stolen and the cell phone rings?
If you were using ssh for secure access then the answer would be to find a
It is just as easy to download a kerberized versions of NCSA telnet or NiftyTelnet, for the mac or pc. And you don't leave crumbs of host keys like ssh does. --Dean ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Plain Aviation, Inc dean@av8.com LAN/WAN/UNIX/NT/TCPIP/DCE http://www.av8.com We Make IT Fly! (617)242-3091 x246 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
On Fri, 15 May 1998, Dean Anderson wrote:
If you were using ssh for secure access then the answer would be to find a
It is just as easy to download a kerberized versions of NCSA telnet or NiftyTelnet, for the mac or pc.
No it's not. I gave a URL for the Mac and Windows ssh clients; you didn't. -- Michael Dillon - Internet & ISP Consulting Memra Communications Inc. - E-mail: michael@memra.com http://www.memra.com - *check out the new name & new website*
Michael Dillon writes:
On Fri, 15 May 1998, Dean Anderson wrote:
If you were using ssh for secure access then the answer would be to find a
It is just as easy to download a kerberized versions of NCSA telnet or NiftyTelnet, for the mac or pc.
No it's not. I gave a URL for the Mac and Windows ssh clients; you didn't.
URL or no, I've played with both kerberized NCSA telnet and SSH -- anyone who claims that setting up and maintaining a KDC is as easy as the "point and shoot" rlogin replacement portion of SSH hasn't really tried both possibilities. SSH is far simpler -- its almost foolproof, and it requires no infrastructure commitment to run. Perry
At 12:21 AM -0400 5/15/98, Perry E. Metzger wrote:
URL or no, I've played with both kerberized NCSA telnet and SSH -- anyone who claims that setting up and maintaining a KDC is as easy as the "point and shoot" rlogin replacement portion of SSH hasn't really tried both possibilities. SSH is far simpler -- its almost foolproof, and it requires no infrastructure commitment to run.
You still have to setup sshd and appropriate user accounts. WRT Cisco you would need something like Tacacs or RADIUS, which would also need to be setup. These aren't exactly "point and shoot" either. If you have trouble setting up kerberos, try kerbnet from Cygnus. I grant that Kerberos is a bit more sophisticated, and slightly more complicated, though. Not to mention that there is also sslTelnet. --Dean ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Plain Aviation, Inc dean@av8.com LAN/WAN/UNIX/NT/TCPIP/DCE http://www.av8.com We Make IT Fly! (617)242-3091 x246 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
i have used both kerberos and ssh for quite a while, though kerberos first, of course, as ssh is fairly new. each has its features, easy points, hard points. that's why i use 'em both, i guess. i only played with kerberos to ciscos for a bit. works. i use ssh to junipers. works. i can imagine that router vendors see licensing issues between the two. randy
SSH is officially on the Cisco "project list" AFAIK; I believe someone just has to take the project and actually /do/ it. Randy Bush wrote:
i have used both kerberos and ssh for quite a while, though kerberos first, of course, as ssh is fairly new. each has its features, easy points, hard points. that's why i use 'em both, i guess.
i only played with kerberos to ciscos for a bit. works. i use ssh to junipers. works. i can imagine that router vendors see licensing issues between the two.
randy
-- jamie rishaw (dal/efnet:gavroche) American Information Systems, Inc. rdm: "Religion is obsolete." gsr: "By what?" jgr: "Solaris." (1996) Tel:312.425.7140, FAX:312.425.7240
On Fri, 15 May 1998, James Rishaw wrote:
SSH is officially on the Cisco "project list" AFAIK; I believe someone just has to take the project and actually /do/ it.
There was a post recently to the SSH mailing list that stated that as well; see http://www.cs.hut.fi/ssh-archive/messages/980515-083235-3456.
i have used both kerberos and ssh for quite a while, though kerberos first, of course, as ssh is fairly new. each has its features, easy points, hard points. that's why i use 'em both, i guess.
i only played with kerberos to ciscos for a bit. works. i use ssh to junipers. works. i can imagine that router vendors see licensing issues between the two.
Only IOS 11.3, to my knowledge, has support for encrypted telnet session in the enterprise images. It would have been better to have that support in other images as well AND in service provider images also(in my opinion at least). nisar
The service provider images have support for it. Ask your isp-team rep for how to gain access to the images. - Jared On Fri, May 15, 1998 at 03:54:22PM +0000, Nisar Ali wrote:
Only IOS 11.3, to my knowledge, has support for encrypted telnet session in the enterprise images. It would have been better to have that support in other images as well AND in service provider images also(in my opinion at least).
-- Work: jared@qual.net - We Make The Internet Work for Your Business 9-5pm(ET) 800 637 4424x2634 - 24x7 NOC - 800 424 3223 pgp key available via finger from jared@puck.nether.net
In message <199805150421.AAA07966@jekyll.piermont.com>, "Perry E. Metzger" writ es:
Michael Dillon writes:
On Fri, 15 May 1998, Dean Anderson wrote:
If you were using ssh for secure access then the answer would be to find a
It is just as easy to download a kerberized versions of NCSA telnet or NiftyTelnet, for the mac or pc.
No it's not. I gave a URL for the Mac and Windows ssh clients; you didn't.
URL or no, I've played with both kerberized NCSA telnet and SSH -- anyone who claims that setting up and maintaining a KDC is as easy as the "point and shoot" rlogin replacement portion of SSH hasn't really tried both possibilities. SSH is far simpler -- its almost foolproof, and it requires no infrastructure commitment to run.
Perry
A medium to large ISP typically has a few hundred employees with access to a few hundred to a few thousand routers and somewhere around a few hundred workstations. (There may be a thousand or more employees but accounting, etc, don't have acces to the routers and development and NMS machines). SSH is easy to set up on your home linux or BSD box but that isn't the overriding factor when considering which is better for an ISP. Consider what an ISP has to go through when an employee leaves and their access to company systems must be terminated. With kerberos someone goes to the KDC and sets the expiration on their kerberos prinicple to the current minute or changes their kerberos password or both. In a few minutes their access to all systems is gone. Even if they had admin access to the KDC, you can change the KDC and admin passwords and rebuild the KDC and any secondaries in well under an hour. You may have to do a "ksrvutil change" on cron service tab files they had read access to (these should be few). With ssh, the ssh key identity can't be revoked. Instead you need to find all .slogin files for all the accounts on all the machines and routers and make sure they aren't listed under an assigned name or a pseudoname they chose and didn't tell you about (an impossible task), plus insure that any machine (like their home machine) that they have access to doesn't appear in any .shosts files. Given 1,000 machines (for example) which sounds harder to do? Is the turnover rate for NOC staff negligible or fairly constant? Curtis
Curtis Villamizar writes:
With ssh, the ssh key identity can't be revoked. Instead you need to find all .slogin files for all the accounts on all the machines and routers and make sure they aren't listed under an assigned name or a pseudoname they chose and didn't tell you about (an impossible task), plus insure that any machine (like their home machine) that they have access to doesn't appear in any .shosts files.
A script can do that without much effort.
Given 1,000 machines (for example) which sounds harder to do?
If you have 1,000 machines, neither is particularly more difficult than the other. With 1,000 machines, you need a database driven management system anyway. If you are trying to manually maintain accounts on 1,000 hosts, you've done something terribly wrong. Personally, I prefer SSH for a bunch of reasons, but I'll admit that at this scale, K5 with 3DES would do as good a job. 1DES K4 is *not* sufficiently secure, though, IMHO. Perry
At 12:14 AM -0400 5/15/98, Michael Dillon wrote:
On Fri, 15 May 1998, Dean Anderson wrote:
If you were using ssh for secure access then the answer would be to find a
It is just as easy to download a kerberized versions of NCSA telnet or NiftyTelnet, for the mac or pc.
No it's not. I gave a URL for the Mac and Windows ssh clients; you didn't.
www.yahoo.com Mac: http://andrew2.andrew.cmu.edu/dist/ntelnet/ PC (win32) http://andrew2.andrew.cmu.edu/dist/ktelnet.html/ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Plain Aviation, Inc dean@av8.com LAN/WAN/UNIX/NT/TCPIP/DCE http://www.av8.com We Make IT Fly! (617)242-3091 x246 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
participants (10)
-
Brian Moore -
Curtis Villamizar -
Dean Anderson -
jamie@dilbert.ais.net -
Jared Mauch -
Kevin Steves -
Michael Dillon -
Nisar Ali -
Perry E. Metzger -
Randy Bush