John, I don't know who told you that cisco's ssh sends passwords in the clear, but that is false. It would not be ssh if it did this. Perhaps they are confusing the fact that the first time you connect to an ssh server, you must choose to accept the servers key and you must then verify that the key is the correct key for that server. i.e. the first time you connect to a ssh server you need to be certain that you are in fact connecting to the real server.
As for the 2500, it's true that they do not have ssh support. In general, it seems that cisco is not working on providing support for anything that uses 3DES on the 2500 platform. (they provide an image for IPSec, but only for DES) My advice as for taking a laptop to remote sites would be to have a second hard drive with linux on it for the simple reason that you can get a _ton_ of security related tools, like ssh, for free. You can also get nice sniffer programs, network mgmt. tools, etc. all free. You don't even really have to be a big linux head to be able to install and use most of the popular linux versions such as RedHat, Suse, Caldera, etc. Regards, Kent -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of John Neiberger Sent: Saturday, February 16, 2002 10:55 AM To: [EMAIL PROTECTED] Subject: Re: RE: Slightly OT: SSH Poll [7:35505] When I said that it was a pain it meant that we'll have to change some things operationally which, like most other security measures, make things a little more difficult. Just minor issues, no big deal. One example might be that if I go to a remote site to do some work, I may not normally take a laptop as I could simply telnet in from a workstation. That capability would go away. Like I said, not a big deal at all. It seems that the primary reason we might use SSH--and the reason mentioned by auditors--is to avoid sending passwords in the clear. However, as someone else mentioned, the version of SSH supported by Cisco sends passwords in the clear! If that's not the case, please let me know. The other issue that I discovered after I made the original post is that the 2500 series does not appear to support SSH and we have mostly 2500s at our remote sites. Again, if I'm mistaken there please let me know. Many thanks! Regards, John http://neiby.home.attbi.com ---- On Sat, 16 Feb 2002, Kent Hundley ([EMAIL PROTECTED]) wrote: > John, > > I _always_ recommend using ssh instead of telnet wherever possible. In > fact, I can't think of a single good reason not to use it for in-band > management. I'm not sure I understand what you mean by it being a pain > since you change passwords often. I don't see how using ssh is any more > of > a pain than using telnet, and its certainly more secure. > > I have seen clients whose security policies dictated the use of ssh or, > if > that were not possible, use of 2-factor authorization such as securid. > I > suspect most organizations are moving to the use of ssh or have plans to > do > so if they are in the least bit security conscious. > > Regards, > Kent > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of > John Neiberger > Sent: Friday, February 15, 2002 8:07 AM > To: [EMAIL PROTECTED] > Subject: Slightly OT: SSH Poll [7:35505] > > > I'm wondering how many of you are involved in networks that use SSH > exclusively for router access. Since we're in the financial sector, > external auditors continually suggest that this is necessary. While > it's probably not a bad idea, I personally feel it's more of pain that > it's worth, especially considering how often we change the passwords. > But that's another matter altogether... > > So, are any of you using SSH exclusively in fairly large networks? If > so, has it been working well for you? > > Thanks, > John [EMAIL PROTECTED] > > ________________________________________________ Get your own "800" number Voicemail, fax, email, and a lot more http://www.ureach.com/reg/tag Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35904&t=35505 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
