nanog mailing list archives
Re: Best practices inquiry: tracking SSH host keys
From: "David W. Hankins" <David_Hankins () isc org>
Date: Thu, 29 Jun 2006 09:28:49 -0700
On Wed, Jun 28, 2006 at 06:07:33PM -0700, Allen Parker wrote:
Why not, on a regular basis, use ssh-keyscan and diff or something similar, to scan your range of hosts that DO have ssh on them (maybe nmap subnet scans for port 22?) to retrieve the host keys, compare them to last time the scan was run, see if anything changed, cross reference that with work orders by ip or any other identifiable information present, and let the tools do the work for you. Cron is your friend. Using rsync, scp, nfs or something similar it wouldn't be very difficult to upkeep an automated way of updating such a list once per day across your entire organization.
_wow_.
That's a massive "why not just" paragraph. I can only imagine how
long a paragraph you'd write for finding and removing ex-employee's
public keys from all your systems.
So, here's my "why not just":
Why not just use Kerberos?
--
David W. Hankins "If you don't do it right the first time,
Software Engineer you'll just have to do it again."
Internet Systems Consortium, Inc. -- Jack T. Hankins
Attachment:
_bin
Description:
Current thread:
- Best practices inquiry: tracking SSH host keys Phillip Vandry (Jun 28)
- Re: Best practices inquiry: tracking SSH host keys Allen Parker (Jun 28)
- Re: Best practices inquiry: tracking SSH host keys Jeroen Massar (Jun 28)
- Re: Best practices inquiry: tracking SSH host keys Simon Leinen (Jun 29)
- Re: Best practices inquiry: tracking SSH host keys David W. Hankins (Jun 29)
- Re: Best practices inquiry: tracking SSH host keys Christopher L. Morrow (Jun 29)
- Re: Best practices inquiry: tracking SSH host keys Jeroen Massar (Jun 28)
- Re: Best practices inquiry: tracking SSH host keys Allen Parker (Jun 28)