nanog mailing list archives
Re: secure router access
From: "Perry E. Metzger" <perry () piermont com>
Date: Thu, 28 May 1998 09:05:07 -0400
Curtis Villamizar writes:
With ssh, the ssh key identity can't be revoked. Instead you need to find all .slogin files for all the accounts on all the machines and routers and make sure they aren't listed under an assigned name or a pseudoname they chose and didn't tell you about (an impossible task), plus insure that any machine (like their home machine) that they have access to doesn't appear in any .shosts files.
A script can do that without much effort.
Given 1,000 machines (for example) which sounds harder to do?
If you have 1,000 machines, neither is particularly more difficult than the other. With 1,000 machines, you need a database driven management system anyway. If you are trying to manually maintain accounts on 1,000 hosts, you've done something terribly wrong. Personally, I prefer SSH for a bunch of reasons, but I'll admit that at this scale, K5 with 3DES would do as good a job. 1DES K4 is *not* sufficiently secure, though, IMHO. Perry
Current thread:
- Re: Core router bakeoff?, (continued)
- Re: Core router bakeoff? Michael Dillon (May 14)
- Re: Core router bakeoff? Michael Shields (May 14)
- Re: Core router bakeoff? Dean Anderson (May 14)
- Re: Core router bakeoff? Michael Dillon (May 14)
- secure router access Perry E. Metzger (May 14)
- Re: secure router access Dean Anderson (May 14)
- Re: secure router access Randy Bush (May 15)
- Re: secure router access Nisar Ali (May 15)
- Re: secure router access Jared Mauch (May 15)
- Re: Core router bakeoff? Michael Dillon (May 14)
- Re: secure router access Curtis Villamizar (May 27)
- Re: secure router access Perry E. Metzger (May 28)
- Re: Core router bakeoff? Dean Anderson (May 14)
- Re: Core router bakeoff? Andrew Bangs (May 14)
- Re: Core router bakeoff? Alex P. Rudnev (May 14)