nanog mailing list archives
Re: secure router access
From: Curtis Villamizar <curtis () brookfield ans net>
Date: Wed, 27 May 1998 22:53:47 -0400
In message <199805150421.AAA07966 () jekyll piermont com>, "Perry E. Metzger" writ es:
Michael Dillon writes:On Fri, 15 May 1998, Dean Anderson wrote:If you were using ssh for secure access then the answer would be to findaIt is just as easy to download a kerberized versions of NCSA telnet or NiftyTelnet, for the mac or pc.No it's not. I gave a URL for the Mac and Windows ssh clients; you didn't.URL or no, I've played with both kerberized NCSA telnet and SSH -- anyone who claims that setting up and maintaining a KDC is as easy as the "point and shoot" rlogin replacement portion of SSH hasn't really tried both possibilities. SSH is far simpler -- its almost foolproof, and it requires no infrastructure commitment to run. Perry
A medium to large ISP typically has a few hundred employees with access to a few hundred to a few thousand routers and somewhere around a few hundred workstations. (There may be a thousand or more employees but accounting, etc, don't have acces to the routers and development and NMS machines). SSH is easy to set up on your home linux or BSD box but that isn't the overriding factor when considering which is better for an ISP. Consider what an ISP has to go through when an employee leaves and their access to company systems must be terminated. With kerberos someone goes to the KDC and sets the expiration on their kerberos prinicple to the current minute or changes their kerberos password or both. In a few minutes their access to all systems is gone. Even if they had admin access to the KDC, you can change the KDC and admin passwords and rebuild the KDC and any secondaries in well under an hour. You may have to do a "ksrvutil change" on cron service tab files they had read access to (these should be few). With ssh, the ssh key identity can't be revoked. Instead you need to find all .slogin files for all the accounts on all the machines and routers and make sure they aren't listed under an assigned name or a pseudoname they chose and didn't tell you about (an impossible task), plus insure that any machine (like their home machine) that they have access to doesn't appear in any .shosts files. Given 1,000 machines (for example) which sounds harder to do? Is the turnover rate for NOC staff negligible or fairly constant? Curtis
Current thread:
- Re: Core router bakeoff?, (continued)
- Re: Core router bakeoff? Brian Moore (May 11)
- Re: Core router bakeoff? Michael Dillon (May 14)
- Re: Core router bakeoff? Michael Shields (May 14)
- Re: Core router bakeoff? Dean Anderson (May 14)
- Re: Core router bakeoff? Michael Dillon (May 14)
- secure router access Perry E. Metzger (May 14)
- Re: secure router access Dean Anderson (May 14)
- Re: secure router access Randy Bush (May 15)
- Re: secure router access Nisar Ali (May 15)
- Re: secure router access Jared Mauch (May 15)
- Re: Core router bakeoff? Michael Dillon (May 14)
- Re: Core router bakeoff? Brian Moore (May 11)
- Re: secure router access Curtis Villamizar (May 27)
- Re: secure router access Perry E. Metzger (May 28)
- Re: Core router bakeoff? Dean Anderson (May 14)
- Re: Core router bakeoff? Andrew Bangs (May 14)
- Re: Core router bakeoff? Alex P. Rudnev (May 14)