[j-nsp] protect ssh and telnet

Saku Ytti saku at ytti.fi
Tue Apr 5 05:45:56 EDT 2016


On 5 April 2016 at 05:23, Phil Shafer <phil at juniper.net> wrote:

Hey Phil,

> Me, I don't even like allowing passwords.  JUNOS now supports the
> "system services ssh no-passwords" knob to force the use of ssh
> keys over text passwords.  And your radius server will happily serve
> ssh keys.  Force the move away from passwords.

I do generally agree on the notion of no password, but isn't radius
cleartext, so middle-man could send their own publickeys and then use
their secret key to login. So doesn't this rely on assumption that
radius is in secure network without middle-man possibility. In which
case telnet would be equally safe?

Another thing that grinds my gears (not JNPR specific) is that because
routers own secret key is not in config, it changes when our
control-planes break down and we switch them. This makes it standard
practice for vast majority of the network to just ignore key changes
completely. Which in turn again makes ssh pretty much as good as
telnet. I wish we could make the compromise and have secret keys
stored in config, so that they would survive RE changes.
People who already have some way of handling this situation securely,
wouldn't need to enable this. But people who now just blindly delete
and trust any host keys, could turn this on and start verifying keys
having much better security than just ignoring them. (How many who run
rancid, oxidized or equivalent let them fail on key failures?).

-- 
  ++ytti


More information about the juniper-nsp mailing list