From: Edward B. Dreger [mailto:eddy+public+spam@noc.everquick.net]
Correct. One must shell out more money for a bigger feature set
to obtain SSH. I don't recall specifics off the top of my head,
and don't have a javascript-cable machine handy to use Feature
Navigator[*], but certain { feature sets | trains } only support
SSHv1.
I don't see why they can't roll it into every ios that runs on a router
capable of ssh. Ssh and sshd on my linux system barely break 500k
compiled... And there's a TON of functionality in there that isn't
required on a router. It would seem that you could get ssh put into
these code trains in under 500k ...
Personally, I like having a little wiggle room in the flash ... Putting
an image on there that occupies the entire flash is a bad thing...
[*] Quick gripe: Did anyone at Cisco ever consider that people
might like to use Feature Navigator without javascript?
What's next? Mandatory Flash Player?
I concur.. Mandatory Javascript sucks... Esp when Mozilla and Firefox
have problems viewing the pages... Cisco's site became decidedly
un-useful when they switched it over to this new design...
Eddy
Jason Frisvold
Penteledata
OK.. Say you can get it into the code train for 200K. What do you do with all
those routers that have only 100K or 125K of space left in the flash (if that),
and the flash is NOT going to get any bigger without massive abuse of a
soldering iron because not all the needed address lines are brought out to the
flash chip (a fine tactic dating back decades - I remember seeing a 16K ROM
nailed to the top quarter of the 64K address space, and only 14 address lines
brought to the chip - it was nailed to the top 16K by feeding A14 and A15 to an
AND gate which fed the 'Chip Select' pin...)
Date: Mon, 7 Jun 2004 22:31:59 -0400
From: Jason Frisvold
I don't see why they can't roll it into every ios that runs
on a router capable of ssh. Ssh and sshd on my linux system
barely break 500k compiled... And there's a TON of
functionality in there that isn't required on a router. It
would seem that you could get ssh put into these code trains
in under 500k ...
Dynamic linking might be cheating. Static linking might be
pessimistic. Probably best to compare BSD "crunchgen" images
with and without ssh/sshd. (2MB total for statically-linked ssh
and sshd as I compile it.)
Personally, I like having a little wiggle room in the
flash... Putting an image on there that occupies the entire
flash is a bad thing...
You haven't lived life to its fullest until you need to load a
boot image remotely via YModem. 
Eddy
A friend of mine here at uni wrote a much, much smaller sshd replacement
he calls "dropbear". Its much, much smaller than sshd. Much smaller.
http://matt.ucc.asn.au/dropbear/dropbear.html
I think its very very cute. Perhaps some vendors with small memory
footprints would consider implementing this kind of tiny sshd?
Adrian
Adrian Chadd wrote:
A friend of mine here at uni wrote a much, much smaller sshd replacement
he calls "dropbear". Its much, much smaller than sshd. Much smaller.
Dropbear SSH
I think its very very cute. Perhaps some vendors with small memory
footprints would consider implementing this kind of tiny sshd?
Several third party firmwares for the linksys wrt54g wireless AP + "router" (which, of course, is owned by brand C) implement sshd using dropbear. For example, the ones at sveasoft, and at h.vu.wifi-box.net
srs
How do you know what you get in the box is the same as what was
shipped from the factory? Or was it just re-sealed and put back
on the shelf with an altered configuration?
http://www.securityfocus.com/archive/1/364977
If you buy your network equipment off Ebay, what are you really
getting? Does it come with hitchhiking firmware pre-installed?
The power of the Internet means the bad guys don't need to care
who buys the tampered equipment, because it can "call home" and
tell the bad guy where it ended up.
Several third party firmwares for the linksys wrt54g wireless AP +
"router" (which, of course, is owned by brand C) implement sshd using
dropbear. For example, the ones at sveasoft, and at h.vu.wifi-box.net
How do you know what you get in the box is the same as what was
shipped from the factory? Or was it just re-sealed and put back
on the shelf with an altered configuration?
http://www.securityfocus.com/archive/1/364977
If you buy your network equipment off Ebay, what are you really
getting? Does it come with hitchhiking firmware pre-installed?
The power of the Internet means the bad guys don't need to care
who buys the tampered equipment, because it can "call home" and
tell the bad guy where it ended up.
and, of course, there are no back doors in code directly from
vendors, government standards (can you say clipper), ...
[sounds of luftswineza]
building from certifiable open source that has been inspected
by many is the only half-credible scheme of which i am aware.
randy
Sean Donelan wrote:
How do you know what you get in the box is the same as what was
shipped from the factory? Or was it just re-sealed and put back
on the shelf with an altered configuration?
1. Buy a linksys box off the shelf from radio shack or wherever [factory sealed]
2. Download the latest firmware and/or its source code from ftp.linksys.com, or the wifi-box.net site.
3. Build it yourself
or
4. As these two I mentioned (sveasoft / wifi-box) are open source, trust the developer community to some extent when you download firmware from their site.
srs
Dynamic linking might be cheating. Static linking might be
pessimistic. Probably best to compare BSD "crunchgen" images
with and without ssh/sshd. (2MB total for statically-linked ssh
and sshd as I compile it.)
Ooops.. forgot that bit 
You haven't lived life to its fullest until you need to load a
boot image remotely via YModem.
Been there, Done that.. Is there a T-Shirt?
More flaws foul security of open-source repository
By Robert Lemos
Staff Writer, CNET News.com
http://news.com.com/2100-7344-5229750.html
Security researchers have found at least six more flaws in the
open-software world's most popular program for maintaining code under
development.
[...]
The major projects using the program were notified of the issues May 28.
On Wednesday, the security holes were publicly announced.
Since the topic of pre-notification came up during the NANOG nsp-sec BOF,
should CVS have pre-notified selected major users of the software before
the public announcement? Did this create favoritism, or should they
have held off and told everyone about the vulnerability at the same time
with the public announcement.