On Mon, 2004-06-07 at 23:06, Edward B. Dreger wrote:
> Dynamic linking might be cheating. Static linking might be
> pessimistic. Probably best to compare BSD "crunchgen" images
> with and without ssh/sshd. (2MB total for statically-linked ssh
> and sshd as I compile it.)
Ooops.. forgot that bit
* Stephen Sprunk <[EMAIL PROTECTED]> [2004-06-08 13:05]:
> Thus spake "Henning Brauer" <[EMAIL PROTECTED]>
> > You loose nothing with using ssh instead of telnet.
> > You win a lot.
> You lose money and time because you have to license more expensive code,
> upgrade RAM and flash to handle larger
Adrian Chadd wrote:
A friend of mine here at uni wrote a much, much smaller sshd replacement
he calls "dropbear". Its much, much smaller than sshd. Much smaller.
http://matt.ucc.asn.au/dropbear/dropbear.html
I think its very very cute. Perhaps some vendors with small memory
footprints would conside
On Mon, 07 Jun 2004 20:15:49 PDT, Randy Bush said:
> do you trust YOURSELF not to? of course, i have never made such
> a mistake [sounds of flying pigs from stage roof].
I'd like to plead the 5th on the grounds that it took me 3 hours to realize
it was the Foundry switch that was misconfigured,
On Tue, Jun 08, 2004, Edward B. Dreger wrote:
>
> JF> Date: Mon, 7 Jun 2004 22:31:59 -0400
> JF> From: Jason Frisvold
>
> JF> I don't see why they can't roll it into every ios that runs
> JF> on a router capable of ssh. Ssh and sshd on my linux system
> JF> barely break 500k compiled... And the
> Do you trust every person you work with to not maliciously snarf
> packets *and* to not accidentally route all those cleartext
> packets out the wrong interface at the wrong time?
do you trust YOURSELF not to? of course, i have never made such
a mistake [sounds of flying pigs from stage roof].
> [EMAIL PROTECTED] wrote:
> OK.. Say you can get it into the code train for 200K. What do
> you do with all those routers that have only 100K or 125K of
> space left in the flash (if that), and the flash is NOT going
> to get any bigger without massive abuse of a soldering iron
Being one of thes
On Mon, 07 Jun 2004 22:40:19 EDT, Jason Frisvold <[EMAIL PROTECTED]> said:
> Do you trust every person you work with? Are your internal networks
> completely segmented (including the ethernet switches?)
And there's different kinds of trust too..
I've got a co-worker who I totally trust not to
JF> Date: Mon, 7 Jun 2004 22:31:59 -0400
JF> From: Jason Frisvold
JF> I don't see why they can't roll it into every ios that runs
JF> on a router capable of ssh. Ssh and sshd on my linux system
JF> barely break 500k compiled... And there's a TON of
JF> functionality in there that isn't required
On Mon, 07 Jun 2004 22:52:43 EDT, Jason Frisvold said:
> But, if ssh were added to all IOS's, it would greatly reduce the number
> of routers that could *not* include SSH due to flash limitations...
It would however increase the number of routers that can't go to IOS 12.foo
because of flash limit
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> OK.. Say you can get it into the code train for 200K. What
> do you do with all
> those routers that have only 100K or 125K of space left in
> the flash (if that),
> and the flash is NOT going to get any bigger
On Mon, 07 Jun 2004 22:31:59 EDT, Jason Frisvold <[EMAIL PROTECTED]> said:
> I don't see why they can't roll it into every ios that runs on a router
> capable of ssh. Ssh and sshd on my linux system barely break 500k
> compiled... And there's a TON of functionality in there that isn't
> required
> -Original Message-
> From: Robert Boyle [mailto:[EMAIL PROTECTED]
>
> Agreed. I really truly don't see the problem with plaintext telnet
> management of routers. We have access-lists on vty 0 15
> specifying which
> networks can even connect. We can't connect except for from a truste
> -Original Message-
> From: Edward B. Dreger [mailto:[EMAIL PROTECTED]
>
> Correct. One must shell out more money for a bigger feature set
> to obtain SSH. I don't recall specifics off the top of my head,
> and don't have a javascript-cable machine handy to use Feature
> Navigator[*],
On Mon, 07 Jun 2004 20:46:36 CDT, Stephen Sprunk said:
> In spite of all that, I do encourage using SSH whenever possible, but
> believing there is no cost associated with doing so is foolhardy. Depending
> on the perceived level of threat, one might consider other security projects
> to be a hig
Thus spake "Henning Brauer" <[EMAIL PROTECTED]>
> * Robert Boyle <[EMAIL PROTECTED]> [2004-06-07 14:08]:
> > I really truly don't see the problem with plaintext telnet
> > management of routers.
>
> It is exactly this belief in the security of your networks that gets
> this industry in so deep shi
Thus spake "Priscilla Oppenheimer" <[EMAIL PROTECTED]>
> It's egregious that SSH isn't standard in all IOS images, especially
> when you consider that choosing the right image is almost an
> NP-complete problem even with feature navigator! :-)
There are plenty of folks at Vendor C that would love
* Robert Boyle <[EMAIL PROTECTED]> [2004-06-07 21:40]:
> which is why I am
> against running ssh AND leaving it open to the world
the only one who talks about that is you.
> >You loose nothing with using ssh instead of telnet.
> >You win a lot.
> I agree 100%. However, is that worth $x thousand
At 12:11 PM 6/7/2004, you wrote:
ever heard of multilayer security?
Absolutely and I am a huge believer in it and all of our systems and our
network is designed with many layers of protection... which is why I am
against running ssh AND leaving it open to the world since that leaves only
a singl
On Mon, 7 Jun 2004, Michel Py wrote:
> > Henning Brauer wrote:
> > not seeing the problem with cleartext telnet for remote
> > logins in 2004, wether ACL'd or not, is just ... oh man,
> > I don't have words for this.
> I have: I encourage my competitors to do it.
Now you see the motivation behind
On Jun 6, 2004, at 5:38 PM, Daniel Senie wrote:
At 12:50 AM 6/6/2004, Paul Jakma wrote:
On Sat, 5 Jun 2004, Mike Lewinski wrote:
And that provides protection against MITM attacks how?
kerberised telnet can be encrypted (typically DES - sufficient to
guard MITM).
Am I the only one who really likes
> Henning Brauer wrote:
> not seeing the problem with cleartext telnet for remote
> logins in 2004, wether ACL'd or not, is just ... oh man,
> I don't have words for this.
I have: I encourage my competitors to do it.
Michel.
* Robert Boyle <[EMAIL PROTECTED]> [2004-06-07 14:08]:
> I really truly don't see the problem with plaintext telnet
> management of routers.
It is exactly this belief in the security of your networks that gets
this industry in so deep shit.
ever heard of multilayer security?
some little proble
## On 2004-06-07 10:29 -0400 Daniel Corbe typed:
DC>
DC>
DC> You have to have an IOS image with the 3DES feature set to run ssh
Not quite: single DES will do fine
(if you use an SSH client that supports it)
--
Rafi
DC>
DC> Edward B. Dreger wrote:
DC>
DC> >DS> Date: Thu, 03 Jun
On Sun, 06 Jun 2004 18:14:39 CDT, Stephen Sprunk said:
> When I read that, I immediately thought of a quote by Colin Powell:
>
> "I sleep like a baby, too. Every two hours I wake up screaming!"
Just as an aside, I first remember seeing this quote in a Computerworld article
in the '80s, regardin
You have to have an IOS image with the 3DES feature set to run ssh
Edward B. Dreger wrote:
DS> Date: Thu, 03 Jun 2004 17:56:55 -0400
DS> From: Daniel Senie
DS> Cisco 26xx, 36xx routers at least, current 12.3 IOS, no ssh
DS> support in the basic loads that I can find. Telnet is the
DS> only way in
At 07:14 PM 6/6/2004, you wrote:
On the SSH/SSL front: IMHO these technologies give a false sense of
security. Sniffing cleartext management sessions is a concern, yes, but
actual incidents where it occurs, especially within your own network
infrastructure, are vanishingly rare compared to the com
At 12:50 AM 6/6/2004, Paul Jakma wrote:
On Sat, 5 Jun 2004, Mike Lewinski wrote:
And that provides protection against MITM attacks how?
kerberised telnet can be encrypted (typically DES - sufficient to guard MITM).
Am I the only one who really likes devices to handle their own login
authentication
Thus spake "Sean Donelan" <[EMAIL PROTECTED]>
> Two issues tied as being of prime concern to those network administrators
> surveyed: 32% responded that they worry most about "the next virus/worm"
> and an equal percentage answered they worry most about "a security breach
> to the enterprise's net
On Sun, 6 Jun 2004, Henning Brauer wrote:
this is not nearly the same league as (proper) ssh.
It's quite sufficient for protecting ones routers. Also the
"authentication" itself is (should be) Triple-DES protected. The DES
encryption for the data exchange isnt enough to guard sensitive data,
how
* Paul Jakma <[EMAIL PROTECTED]> [2004-06-06 09:03]:
> On Sat, 5 Jun 2004, Mike Lewinski wrote:
> >And that provides protection against MITM attacks how?
> kerberised telnet can be encrypted (typically DES - sufficient to
> guard MITM).
this is not nearly the same league as (proper) ssh.
compla
On Sat, 5 Jun 2004, Mike Lewinski wrote:
And that provides protection against MITM attacks how?
kerberised telnet can be encrypted (typically DES - sufficient to
guard MITM).
regards,
--
Paul Jakma [EMAIL PROTECTED] [EMAIL PROTECTED] Key ID: 64A2FF6A
warning: do not ever
Paul Jakma wrote:
What's really scary is that the people here complaining about a certain
vendor charging extra for SSH and hence forcing them to use "insecure"
telnet havnt the cop-on to read that vendor's "AAA" documentation and
realise that the base feature set _already_ includes capability t
On Thu, 3 Jun 2004, Eric Kuhnke wrote:
The part about Telnet is truly scary...
What's really scary is that the people here complaining about a
certain vendor charging extra for SSH and hence forcing them to use
"insecure" telnet havnt the cop-on to read that vendor's
"AAA" documentation and real
On Thu, 3 Jun 2004, Jonathan Nichols wrote:
>
>
> >
> > I've been reasonably pleased with using the Idokorro client. It's at
> > http://www.idokorro.com It uses SSH2 w/3DES & AES. It's useful for
> > emergencies, but nothing of great detail or scope for the screen
> > size on my 6820.
> >
JS> Date: Thu, 3 Jun 2004 14:26:01 -0700
JS> From: Jeff Shultz
JS> I wonder if they asked the people using Telnet if they were
JS> using over the internet - or inside a corporate intranet,
JS> shielded from the outside?
Good to know that malicious things are always on the other side
of the rout
DS> Date: Thu, 03 Jun 2004 17:56:55 -0400
DS> From: Daniel Senie
DS> Cisco 26xx, 36xx routers at least, current 12.3 IOS, no ssh
DS> support in the basic loads that I can find. Telnet is the
DS> only way in other than the console port.
Correct. One must shell out more money for a bigger featur
This is very bad - they have SSH in extended versions, why did not they
included it into all versions, where it was possible
without running out of flash memory.
Through, it is not so unsecured - in most cases people restricts access to a
few IP sources, which are located on the internal network,
I like my Tungsten C, but I don't do security-stupid things with it. :)
Another neat trick, for those who haven't seen - Intel has
maps.yahoo.com setup so it'll show you where alot of the hotspots are -
here's a map of downtown SF as an example:
http://tinyurl.com/36s5y
John
On Thu, Jun 03, 20
I've been reasonably pleased with using the Idokorro client. It's at
http://www.idokorro.com It uses SSH2 w/3DES & AES. It's useful for
emergencies, but nothing of great detail or scope for the screen
size on my 6820.
-John
Wow. $195 for the Blackberry client? I'll carry around the PowerBook
> I've heard there's an SSH2 client for the Treo.
> Ah, here it is: http://sealiesoftware.com/pssh/
>
> The Danger Sidekick can do SSH2 with "Terminal Monkey" which was free up
> until recently. :) It's fun, but kind of hard to get any real work done
> with the tiny screen.
I've been reasonabl
The part about Telnet is truly scary... Among people who have "clue",
the biggest reason I have heard to continue running ssh1 is for
emergency access via hand-held smartphones or other pocket sized
devices. The Handspring Treo 180 and similar keyboarded cellphone-pda
devices don't have the
On Thu, 03 Jun 2004 13:16:44 PDT, Eric Kuhnke <[EMAIL PROTECTED]> said:
> The part about Telnet is truly scary... Among people who have "clue",
> the biggest reason I have heard to continue running ssh1 is for
> emergency access via hand-held smartphones or other pocket sized
> devices. The Ha
** Reply to message from Eric Kuhnke <[EMAIL PROTECTED]> on Thu, 03
Jun 2004 13:16:44 -0700
>
> The part about Telnet is truly scary... Among people who have "clue",
> the biggest reason I have heard to continue running ssh1 is for
> emergency access via hand-held smartphones or other pocket
On Thu, 03 Jun 2004 13:16:44 PDT, Eric Kuhnke <[EMAIL PROTECTED]> said:
> The part about Telnet is truly scary... Among people who have "clue",
> the biggest reason I have heard to continue running ssh1 is for
> emergency access via hand-held smartphones or other pocket sized
> devices. The
I liked this quote,
About 43% of respondents said they're using the Secure Shell (SSH)
protocol to protect data, secure remote access, and perform network
management. But while the current SSH2 is considered to be
significantly more secure, nearly 45% said they are continuing to
mostly u
Crist Clark wrote:
Anyone from the real world knows that there are real and significant
costs to convert an existing infrucstructure with telnet, the
r-protocols, ftp, and all of their unencrypted, unauthenticated friends
to SSH and SSL secured connections. Yeah, maybe the software licencing
costs
Sean Donelan wrote:
Survey: Despite dangers, IT personnel sleep well
By Bill Brenner, News Writer
27 May 2004 | SearchSecurity.com
I liked this quote,
About 43% of respondents said they're using the Secure Shell (SSH)
protocol to protect data, secure remote access, and perform network
managem
48 matches
Mail list logo
