[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: On SSH ports

To: Eliot Lear <lear@cisco.com>
Subject: Re: On SSH ports
From: Margaret Wasserman <margaret@thingmagic.com>
Date: Thu, 05 Feb 2004 15:51:22 -0500
Cc: Wes Hardaker <wjhns1@hardakers.net>, Phil Shafer <phil@juniper.net>, netconf <netconf@ops.ietf.org>
In-reply-to: <402290F0.5050203@cisco.com>
References: <5.1.0.14.2.20040205124557.03d00fa8@ms101.mail1.com> <5.1.0.14.2.20040204144303.03c71598@ms101.mail1.com> <200401300758.i0U7wmBE030236@idle.juniper.net> <200401300758.i0U7wmBE030236@idle.juniper.net> <5.1.0.14.2.20040204144303.03c71598@ms101.mail1.com> <5.1.0.14.2.20040205124557.03d00fa8@ms101.mail1.com>

Hi Eliot,

At 01:52 PM 2/5/2004 -0500, Eliot Lear wrote:

Egads... I could argue either side of the port issue for SSH. One the one hand, its primary use in NETWORK devices today is configuration, and so since the primary use isn't really changing, the port doesn't need to and shouldn't change.

On the other hand, if the primary use becomes something OTHER than network configuration (and there might be a good argument for this), then we should get this right the first time and use a different port.

Do I have the parameters of the decision about right?


This is certainly how I would think of it.  I think that operators who want
to manage their networking equipment remotely have SSH access to the CLI
enabled today, so I don't see how adding a netconf subsystem to that same
SSH server fundamentally changes the security picture.  In many ways,
NETCONF/SSH could be viewed as a more computer-friendly way to access the
CLI.  The current CLI will probably remain as a more human-friendly
interface.

So, what do we gain by specifying that NETCONF/SSH should run over
a different port?

BTW, I just checked a couple of SSH clients, and they both include a
-p option to set the server port.  So, changing the port would be
consistent with existing clients, if we choose to do that.

Eliot


--
to unsubscribe send a message to netconf-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/netconf/>

--
to unsubscribe send a message to netconf-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/netconf/>

Follow-Ups:
- Re: On SSH ports
  - From: Wes Hardaker <wjhns1@hardakers.net>

References:
- Re: Ever onward
  - From: Margaret Wasserman <margaret@thingmagic.com>
- Re: Ever onward
  - From: Margaret Wasserman <margaret@thingmagic.com>
- Ever onward
  - From: Phil Shafer <phil@juniper.net>
- On SSH ports
  - From: Eliot Lear <lear@cisco.com>

Prev by Date: Re: On SSH ports
Next by Date: Re: Ever onward
Previous by thread: Re: On SSH ports
Next by thread: Re: On SSH ports
Index(es):
- Date
- Thread