i think the issue is not about running ssh daemon or not. most routers run ssh on internet-facing segment so no biggie. the real issue in my opinion is the fact that the remote management is enabled for 0/0 network which actually means anyone including my mother can access any resources in the router.

so if it's part of the t&c that tm can and must access the RG then they can do that. the incompetence part of this is opening it up for all the world to access. ideally the router should only be access from trusted/authorized segment which has to be explicitly specified in the remote management section.

if the access list only allows certain range to access the box, then only from that segment can someone tunnel over SSH. since I would think that the origin the router has to be a linux or something similar to that, i figure an sshd daemon is needed to do low-level diagnostics or configuration since you expose yourself to unnecessary risk if you open up low level access via web application. of course there's a way to mitigate the level of compromise i.e. webapp speak to system daemon via restricted socket etc, i doubt that current breeds of RGs have that level of sophistication.

back to the question whether or not it's appropriate to have low-level access from the perspective of remote RG management, i think it's more of a matter of policy. and of course having said that the password management could have done better.

good job for the expose. it takes just one exploit for them to feel the heat.

This post has been edited by ihsan: Jun 2 2010, 05:25 PM