Umm, you type the password into the box, right? The box stores that password in memory so that it can build a TACACS+ request packet to send to the server? Unless you are using SSH keys in lieu of passwords.
On Mon, Jan 08, 2018 at 05:16:01PM +0100, Sebastian Becker wrote: > The password will not be seen on the box itself so no problem. The users are > tacacs+ authorized/authenticated. > Most scenarios are much easier to accomplish by using the already granted > rights on the boxes per user then using these kinds of attack vectors opened > by Meltdown and Spectre. > > Our boxes simply do not run other code than that what is delivered by the > vendors. > > — > Sebastian Becker > s...@lab.dtag.de > > > Am 08.01.2018 um 09:32 schrieb Thilo Bangert <thilo.bang...@gmail.com>: > > > > Den 06-01-2018 kl. 19:49 skrev Sebastian Becker: > >> Same here. User that have access are implicit trusted. > > > > You do have individual user accounts on the equipment, right? > > > > The idea of having secure individual logins goes down the drain with > > Meltdown and Spectre. You want to be sure that a person logged into a box > > cannot snoop the password of a co-worker. > > > > Meltdown and Spectre are relevant on all affected computing equipment. > > > > > So no need for panic. > > > > The usefulness of panic has been degrading the past couple of thousand > > years ;-) _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
