Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2152
Views
9
Helpful
4
Replies

Telnet vs SSH

Go to solution
Bob Greer
Level 4
Level 4

‎11-22-2016 09:06 AM - edited ‎02-21-2020 05:57 AM

Hi there,

 

Thanks for reading.

I’m the new admin at my organization (it’s a big, world-wide org). I’m fighting the entrenched senior leadership about telnet and ssh.  We have a few devices with telnet-only enabled.  The devices I’ve discovered are access layer in the center of a site known for rogue-IT and –users!  Of course, telnet has to go, right?

 

I’ve encountered major, unexpected pushback. The argument is ease over security.  I’m at the CCNA level.  They’re at NP or IE level.  Their talking points are:

  • Too busy to draft a strategy (they only work the REALLY complicated issues)
  • SSH overhead – Can’t reach a device experiencing 99% CPU usage, telnet can
  • They want to keep both telnet & ssh enabled and (somehow) force admins to use SSH while leaving telnet as a backdoor / backup

 

My only idea to “meet” this ‘requirement’: line vty 0 14 transport input ssh; line vty 15 transport telnet.

 

I assume even that would fail: a session requesting telnet would go straight to line 15?

Thanks again!

Bob

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎11-22-2016 04:28 PM

I agree with everything that Leo said. I would try to dig a bit deeper and figure out the exact reasons behind this. If no good reasons are provided then your peers are just being lazy :)

Leaving telnet enabled is a bad idea. Mgmt traffic can be captured and credentials extracted. This can be a huge issue especially if OOM is not used. 

Also, leaving telnet enabled will lead to failures all sorts of audits and assessments. I don't know which organization you work for but if it is a big/world-wide then I would not be surprised if you are failing several compliance/legal requirements.

You can leave line 15 with telnet but in order for that to work you will need to use "rotaries" and tie a specific port to that vty line. For more info take a look at this link:

http://www.packetu.com/2012/08/09/using-an-alternate-telnet-port-in-cisco-ios/

I hope this helps!

Thank you for rating helpful posts!

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Leo Laohoo
Hall of Fame
Hall of Fame

‎11-22-2016 12:30 PM

SSH overhead – Can’t reach a device experiencing 99% CPU usage, telnet can

Bull$hit!  If the CPU is at 99%, not even console works.  Ask them to prove it.  I have 15.0(2)SE3 which can send CPU up to 100%.  

Next, HOW OFTEN does an appliance gets loaded with a buggy IOS that sends CPU up to 99%.  IF there is one right now in the network, then it's not a telnet vs SSH but rather the reluctance to do anything attitude.  

Finally, going from telnet to SSH requires the appliance to load Crypto software image.  Question: Does anyone actually know how to upgrade the appliance?  (You don't want to know the answer to this question.)

Go to solution
Leo Laohoo
Hall of Fame
Hall of Fame

‎11-22-2016 12:49 PM

They want to keep both telnet & ssh enabled and (somehow) force admins to use SSH while leaving telnet as a backdoor / backup

A lot of new Cisco models now sport a Management port.  This is now the new method of OoBM.  

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎11-22-2016 04:28 PM

I agree with everything that Leo said. I would try to dig a bit deeper and figure out the exact reasons behind this. If no good reasons are provided then your peers are just being lazy :)

Leaving telnet enabled is a bad idea. Mgmt traffic can be captured and credentials extracted. This can be a huge issue especially if OOM is not used. 

Also, leaving telnet enabled will lead to failures all sorts of audits and assessments. I don't know which organization you work for but if it is a big/world-wide then I would not be surprised if you are failing several compliance/legal requirements.

You can leave line 15 with telnet but in order for that to work you will need to use "rotaries" and tie a specific port to that vty line. For more info take a look at this link:

http://www.packetu.com/2012/08/09/using-an-alternate-telnet-port-in-cisco-ios/

I hope this helps!

Thank you for rating helpful posts!

0 Helpful

Go to solution
Bob Greer
Level 4
Level 4
In response to nspasov

‎11-23-2016 09:44 AM

Hi guys,
Thanks for writing.  The rotary solution looks like it might fit.  I am stunned by the militant pushback I'm getting.  I was expecting red-faced agreement! 

Anyway, thanks again for your input!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card