| > What protects them?
| > (more than just login password)?
| Well, I don't know about others, but ciscos have telnet address-based
| authentication (plus I think, they can use TACACS - never tried it,
| though, and I don't know enough about it to guess how secure it is)
| and 2 passwords (1 for logging in, looking at interface state and
| statistics, routing tables etc) and an other one to do really useful/nasty
| things (looking/changing configuration, taking interfaces down/up, etc)
TACACS is great! :-)
* The router prints a login-prompt
* The user enters the username and password.
* The username/password is sent of to a remote
tacacsd, which validates the username/password pair
with some algorithm.
* tacacsd send back a packet
"Yes, everything is fine. Let him in".
! All communication between router and tacacsd is done in clear.
I might have misunderstood this, if so, please inform me!
Btw, there is an informal RFC describing the CISCO tacacs.
/Christian W, cwe @