nanog mailing list archives

Re: Best practices inquiry: tracking SSH host keys

From: "Christopher L. Morrow" <christopher.morrow () verizonbusiness com>
Date: Fri, 07 Jul 2006 03:58:43 +0000 (GMT)



On Thu, 6 Jul 2006, Steven M. Bellovin wrote:

On Thu, 29 Jun 2006 19:43:48 +0000 (GMT), "Christopher L. Morrow"
<christopher.morrow () verizonbusiness com> wrote:


On Thu, 29 Jun 2006, David W. Hankins wrote:

So, here's my "why not just":

  Why not just use Kerberos?


apparently kerberos scares people... I'm not sure I 'get' that, but :( A
corp security group once for a long time 'didnt believe in kerberos',
some people 'get it' some don't :(

Kerberos is a single point of failure; that scares people.  You *know* you
have to keep the Kerberos server locked down tight, highly available (very
tricky for some ISP scenarios!), etc.


remote datacenters, firewall/ipf/ipfw/iptables/blah, disable local
console, only absolutely necessary user accounts... there are other
protections, but really, make 10 copies spread them around your 'network'.
It's not that bad, really.


SSH is a distributed single point of failure, just like the old thick
yellow Ethernet.  Remember how reliable and easy to debug that was?

More seriously, the original virtue of SSH was that it could be deployed
without centralized infrastructure.  That's great for many purposes; it's
exactly what you don't want if you're an ISP managing a lot of servers and
network elements.  You really do want a PKI, complete with CRLs.  I know


ssh+kerb works, well... so do kerberized r* services... I'm not sure I see
how they are that different from PKI. There may be some advantages to PKI,
but there are risks and operational concerns as well. I suppose people
should pick what works for them...

that (most) SSH implementations don't do that -- complain to your vendor.
(Note: the CAs are also single points of failure.  However, they can be
kept offline or nearly so, booted from a FooLive CD that logs to a
multi-session CD or via a write-only network port through a tight
firewall, etc.  Yes, you have to worry about procedures, physical access,
and people, but you *always* have to worry about those.


right, just like kerberos... I do admit I'm a fan of kerberos, run it at
home even. anyway :) there are obviously many ways to skin this cat.

Current thread:

Re: Best practices inquiry: tracking SSH host keys Shumon Huque (Jul 01)
- <Possible follow-ups>
- Re: Best practices inquiry: tracking SSH host keys Steven M. Bellovin (Jul 06)
  - Re: Best practices inquiry: tracking SSH host keys Jeremy Chadwick (Jul 06)
    - Re: Best practices inquiry: tracking SSH host keys Christopher L. Morrow (Jul 06)
    - Re: Best practices inquiry: tracking SSH host keys David Nolan (Jul 07)
    - Re: Best practices inquiry: tracking SSH host keys Shumon Huque (Jul 09)
  - Re: Best practices inquiry: tracking SSH host keys Christopher L. Morrow (Jul 06)
  - Re: Best practices inquiry: tracking SSH host keys Shumon Huque (Jul 09)
    - Re: Best practices inquiry: tracking SSH host keys Steven M. Bellovin (Jul 09)
    - Re: Best practices inquiry: tracking SSH host keys Shumon Huque (Jul 09)
- Re: Best practices inquiry: tracking SSH host keys sandy (Jul 07)