-
October 17th, 2003, 05:44 PM
#1
Junior Member
Cisco router SSH
Unless I'm mistaken, can someone tell me why Cisco routers(high end) don't have ssh and telnet instead of just telnet?
-
October 17th, 2003, 06:06 PM
#2
Senior Member
they do have ssh capabilities. i came across some posts about it on the cisco site once. did you go through there knowledgebase? i'll see if i can't dig something up and post again when i find it.
here you go
http://www.cisco.com/univercd/cc/td/...21t1/sshv1.htm
hope this helps.
just making some minor adjustments to your system....
-
October 17th, 2003, 06:19 PM
#3
Thats one of those lame things you can do when you have nr.1 in the market.
It bugs a lot of us i guess,
-
October 17th, 2003, 07:04 PM
#4
Junior Member
until diaster strikes....
I guess so.........thanks for the info...............I guess until someone hacker redirects some major communication backbone(BGP) and turns it against another because the sys admin telnetted into the box, we are stuck with simple ssh.......
-
October 17th, 2003, 07:34 PM
#5
You should put an access control list on the telnet to only allow it from the IPs of a few boxes on your local (switched) network. Then if you need to access it from somewhere else, ssh into your handy Linux box then telnet on to the cisco.
In practice that should be ok, as I assume you don't need to go into the cisco that often anyway?
Slarty
-
October 17th, 2003, 07:55 PM
#6
Senior Member
in addition to slarty's post. you could also connect to a box then connect to your router via a console cable, as long you you use a strong password, you should be golden and nobody will know you have the console connection unless you tell them. i've used that setup in the past without issues.
just making some minor adjustments to your system....
-
October 17th, 2003, 11:00 PM
#7
There is no reason in principle why you should not connect a PC to the cisco using the console port (or aux if console connected elsewhere)
But I've had trouble with this configuration in the past - on some PC hardware, rebooting the PC sends an unwanted break signal down the serial port - which on Sun hardware causes it to drop into the rom. I can't remember whether this will cause any adverse effect on cisco (only during startup perhaps?) - but something to bear in mind.
Slarty
-
October 18th, 2003, 01:09 AM
#8
Junior Member
clarification
those points are great.......however, I meant(should of made clear) that for those lazy Sys-Admins who don't want to walk the 1.5 feet to the box, they would rather just telnet/ssh into the box over the transmission medium(usual ethernet/BGP/TCP-IP, etc.......).......
-
October 18th, 2003, 03:36 AM
#9
shaded3l33t,
Cisco IOS does support SSH. I believe they started supporting it with version 12.1(1)T with the IPSEC encryption image..
-
October 18th, 2003, 08:13 AM
#10
Well there's something I didn't know, but I can probably explain why.
Cisco routers have hardware specifically designed to route packets, not to encrypt them. Thier processors only have a library of a couple of hundred instructions, as opposed to a P4 having hundreds of thousands. This limited instruction set does not allow the possibility of SSH.
Another reason: every service running on a router (or any computing device) is a security risk, whether it is useful, or needed, or neither. Since routers do not need SSH in order to function, they are more secure without it. A host can encrypt data before sending it thier anyway. Why leave it to the router, and therby slow it down and open up more security holes?
I think some newer version of thier IOS can support it now that the research is available o secure it and the power to support it. Personally, I would not use a router to encrypt data over a network for which I was responsible, for the reasons mentioned above. I would imagine many people feel the same way, so why would Cisco icorporate a feature which most people (I think) would not want or use?
Government is like fire - a handy servant, but a dangerous master - George Washington
Government is not reason, it is not eloquence - it is force. - George Washington.
Join the UnError community!
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|