Unless I'm mistaken, can someone tell me why Cisco routers(high end) don't have ssh and telnet instead of just telnet?
Printable View
Unless I'm mistaken, can someone tell me why Cisco routers(high end) don't have ssh and telnet instead of just telnet?
they do have ssh capabilities. i came across some posts about it on the cisco site once. did you go through there knowledgebase? i'll see if i can't dig something up and post again when i find it.
here you go
http://www.cisco.com/univercd/cc/td/...21t1/sshv1.htm
hope this helps.
Thats one of those lame things you can do when you have nr.1 in the market.
It bugs a lot of us i guess,
I guess so.........thanks for the info;)...............I guess until someone hacker redirects some major communication backbone(BGP) and turns it against another because the sys admin telnetted into the box, we are stuck with simple ssh.......
You should put an access control list on the telnet to only allow it from the IPs of a few boxes on your local (switched) network. Then if you need to access it from somewhere else, ssh into your handy Linux box then telnet on to the cisco.
In practice that should be ok, as I assume you don't need to go into the cisco that often anyway?
Slarty
in addition to slarty's post. you could also connect to a box then connect to your router via a console cable, as long you you use a strong password, you should be golden and nobody will know you have the console connection unless you tell them. i've used that setup in the past without issues.
There is no reason in principle why you should not connect a PC to the cisco using the console port (or aux if console connected elsewhere)
But I've had trouble with this configuration in the past - on some PC hardware, rebooting the PC sends an unwanted break signal down the serial port - which on Sun hardware causes it to drop into the rom. I can't remember whether this will cause any adverse effect on cisco (only during startup perhaps?) - but something to bear in mind.
Slarty
those points are great.......however, I meant(should of made clear) that for those lazy Sys-Admins who don't want to walk the 1.5 feet to the box, they would rather just telnet/ssh into the box over the transmission medium(usual ethernet/BGP/TCP-IP, etc.......).......
shaded3l33t,
Cisco IOS does support SSH. I believe they started supporting it with version 12.1(1)T with the IPSEC encryption image..
Well there's something I didn't know, but I can probably explain why.
Cisco routers have hardware specifically designed to route packets, not to encrypt them. Thier processors only have a library of a couple of hundred instructions, as opposed to a P4 having hundreds of thousands. This limited instruction set does not allow the possibility of SSH.
Another reason: every service running on a router (or any computing device) is a security risk, whether it is useful, or needed, or neither. Since routers do not need SSH in order to function, they are more secure without it. A host can encrypt data before sending it thier anyway. Why leave it to the router, and therby slow it down and open up more security holes?
I think some newer version of thier IOS can support it now that the research is available o secure it and the power to support it. Personally, I would not use a router to encrypt data over a network for which I was responsible, for the reasons mentioned above. I would imagine many people feel the same way, so why would Cisco icorporate a feature which most people (I think) would not want or use?