Re: SSH3 stacking switches

From: Michael Zawrotny (zawrotny_at_jaguar.sb.fsu.edu)
Date: 10/10/03 

Date: 10 Oct 2003 12:40:36 GMT

On 10 Oct 2003 03:13:26 -0700, Mik <Mik22001@hotmail.com> wrote:
>
> I have 3 switches stacked together (HP 41xx and 25xx), When I log onto
> the 41xx (commander) over SSH3 and then go to the 25xx (member) how
> secure is the line to the member? I understood that the secure line
> goes from my client to the IP of the commander switch, but what
> happens when the commander links to the member switch?
> Any hints would be very helpfull thanks in advance.

This is kind of off-topic since it's a question about the channel
between the switches, rather than the ssh login to the stack
commander, but here goes anyway.

On the 25xx switches I have, when I login to the master, then to one
of the members and then exit from the member, the master displays a
message "TELNET - MANAGER MODE". That would seem to imply that the
switches are using telnet between them. The "Management and
Configuration Guide" from HP also says (p. 9-45 on my copy) that to
use the CLI to access a member switch from the commander, type "telnet
<member_number>".

It's using plain old telnet, which is vulnerable to sniffing (it is
doubtful that the switch supports START_TLS option). There are some
mitigating factors in this scenario. The switches have to be in the
same broadcast domain, and the MAC addresses of the member and
commander are used to set up the stack in the first place. That might
make hijacking more difficult, but I wouldn't necessarily count on it.
Sniffing should still be possible.

I wouldn't use the stack management mode for anything I considered
particularly sensitive. If possible, I would give each switch it's
own IP and ssh directly to it or walk over with a laptop and serial
cable to do sensitive operations.

Mike 

-- 
Michael Zawrotny
Institute of Molecular Biophysics
Florida State University                | email:  zawrotny@sb.fsu.edu
Tallahassee, FL 32306-4380              | phone:  (850) 644-0069

Relevant Pages

  • Re: The newgrp command
    ... I also discovered the same as what Richard said. ... > to use the newgrp command to switch to that group with correct password, ... >> However, if the user is NOT member of the group, then they are prompted ... You can modify the group password using gpasswd. ...
    (Fedora)
  • Re: The newgrp command
    ... Well, Ben you are right, root can switch to any group without having to give ... case an ordinary user is not a member of a particular group and she/he tries ... to use the newgrp command to switch to that group with correct password, ...
    (Fedora)
  • Re: Ultimate debunking of Cantors Theory
    ... and switch 0 to 1 on the diagonal. ... Does WM claim that a list in which every member has a last non-zero ... character also has a member with no last non-zero character, ... I'i leave that to set theorists. ...
    (sci.math)
  • Re: Ultimate debunking of Cantors Theory
    ... and switch 0 to 1 on the diagonal. ... Does WM claim that a list in which every member has a last non-zero ... character also has a member with no last non-zero character, ... WM will next be declaring that black is white and white is black. ...
    (sci.math)
  • [NEWS] Telnet DoS Vulnerability in Marconi ATM Switch
    ... Telnet DoS Vulnerability in Marconi ATM Switch ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ...
    (Securiteam)