At 09:46 AM 6/18/00 +0800, Julius C. Duque wrote:
>Hello all,
>
>Is it possible to configure a Cisco 2500 series to
>accept SSH protocol when accessing it remotely
>instead of telnet? Sometimes, I have to do some
>tweaking from my home by telnetting to my router.
Hi Julius,
An SSH 'server' is in IOS starting in 12.0(5)S (Service Provider train)
and 12.1(1)T (Feature train). This means that you can form SSH sessions
to the routers that have the code. You can find more information about
this here:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft/121t/121t1/sshv1.htm
This is the T documentation and the S is very similar. In the S train,
images that have the identifiers of -k3 and -k4 have the SSH server with
DES and 3DES respectively. This is limited to the 12000, 7500 and 7200.
In the T train, the images that are designated with -56i and -k2 have the
feature (DES and 3DES respectively) but some have not been tested so they
may not be supported by our Technical Assistance Center (TAC). The
documentation is somewhat outdated since I know that some of the 36x0
platforms have been tested and are supported. I'm not sure if the 2500
has been tested or is supported yet.
Keep in mind that this is SSH version 1 only. IOS doesn't support SSHv2.
I've respected that this mailing list has been a forum to fully discuss
security practices and their applicability to the real world. In keeping
with this, here's an excerpt from a document that I wrote a while ago that
was posted on CCO ( http://www.cisco.com ) when the feature was first
available in 12.0S. I would encourage you (and everyone else on the list)
to understand the cryptographic features provided by SSH if you choose to
deploy it. I would also encourage you to understand the Cisco
implementation. As the documentation states, TACACAS+ and RADIUS
authentication -as well as locally defined usernames/passwords- can be
applied to authenticate any user attempting the SSH session, but RSA(user)
authentication is not supported. RSA(device) authentication is supported
as it is defined in the SSHv1 specification since that's the mechanism to
convey the shared encryption key.
---snip---
When fully and properly configured on Unix and Microsoft Windows
machines, SSH can provide strong authentication for hosts and users as
well as providing confidentiality and integrity. The implementation of
the SSH server functionality in IOS does not fully provide all of these
features. If these features are required for the operating environment,
or are required to meet an organizational security policy, then IPSec
should be employed as it does meet all of these qualifications.
This implementation of SSH in IOS does not allow for the storage of the
host keys of other machines. In this, this implementation of SSH in IOS
is similar to an open key acceptance policy of a network. This open key
acceptance policy does not provide strong host authentication that can
be configured in a network that is using a closed key acceptance policy.
Integrity can be provided between SSH clients and the IOS SSH server
since the encryption methods employed - DES and 3xDES - use the Cipher
Block Chaining (CBC) mode. This mode provides assurance that portions of
the packets of the session cannot be inserted, deleted or otherwise
manipulated while in transit between the server and the client.
Confidentiality can be provided through the use of the encryption
methods employed. While there are at this time, no known cryptographic
weaknesses of either DES or 3xDES, both of these algorithms -as all
other cryptographic algorithms- can be broken through brute force
methods. Since, in this method, shorter keys can probably be broken much
quicker than longer keys, it is recommended 3xDES be used.
The full implementation of SSH provides for the use of a null algorithm
- no encryption. This is defined in SSH for testing purposes but it has
not been deployed in the IOS implementation of SSH. Other algorithms
that are found in SSH, such as IDEA and Blowfish, are also not
implemented in IOS.
---/snip---
Hope this helps,
Chris Lonvick
Cisco Systems
Consulting Engineering
Office of the CTO
+1.512.378.1182
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
