Here is a great example of a secure router config http://www.cymru.com/Documents/secure-ios-template.html
As is see it TACACS is the only way to go for router logins, I don't know why they would object to it. I don't see why they would object to ssh, as far as I know ssh does not send clear text passwords, I used ssh and sniffed out all my packets and I did not see the password in clear text. I object to ssh on the routers because the code releases that support ssh tend to be buggy. This is not directly related to ssh. The problem is that these images also support other features that have not been fully tested. I like to run service provider on all my routers, this is a stripped down image and does not have all the features that you may need. I don't use any but the basic features BGP, CEF, ISL and I run an IP only network, so it makes more sense for me to use that. In the end it is up to you what code you choose the TAC can help you with that Some other people don't like the added cpu over head ssh gives the routers. This really depends on what platform you are using and what the cpu usage is on the router. If the routers are really busy I have seen some cases where ssh will hinder trouble shooting. Hope this helps. -----Original Message----- From: Charley Hamilton [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 4:28 PM To: [EMAIL PROTECTED] Subject: Re: Telnet Security Question for a Router. > The Network Services Group is adamant that neither SSH or > CISCO TACACS+ will work on a router to correct the security > issue. *blink blink* As a relative newbie/ignorant, I am distressed to hear that ssh doesn't "correct the security issues" with regard to clear-text username/password travel. Doesn't ssh send *all* traffic (from login to logoff inclusive) encrypted? Granted, no encryption is perfect, but take a large key and it'll take a while to decrypt, no? If you don't want to have passwords traveling at all, use keypairs with passphrases, with the keys stored on encrypted removable media. (That's my strategy for my ssh/sftp servers.) Is there something specific to routers that makes this solution inappropriate? Alternatively, is there some other problem with the routers that makes ssh and incomplete solution? Inquiring (newbie) minds want to know! Charley -- Charles Hamilton, PhD EIT Faculty Fellow Department of Civil and Phone: 949.824.3752 Environmental Engineering FAX: 949.824.2117 University of California, Irvine Email: [EMAIL PROTECTED]