nanog mailing list archives

Re: Best practices inquiry: tracking SSH host keys

From: "Christopher L. Morrow" <christopher.morrow () verizonbusiness com>
Date: Thu, 29 Jun 2006 19:43:48 +0000 (GMT)


On Thu, 29 Jun 2006, David W. Hankins wrote:

On Wed, Jun 28, 2006 at 06:07:33PM -0700, Allen Parker wrote:

Why not, on a regular basis, use ssh-keyscan and diff or something
similar, to scan your range of hosts that DO have ssh on them (maybe

--snip-200-words-or-less---


_wow_.

That's a massive "why not just" paragraph.  I can only imagine how
long a paragraph you'd write for finding and removing ex-employee's
public keys from all your systems.


So, here's my "why not just":

      Why not just use Kerberos?


apparently kerberos scares people... I'm not sure I 'get' that, but :( A
corp security group once for a long time 'didnt believe in kerberos',
some people 'get it' some don't :(

Current thread:

Best practices inquiry: tracking SSH host keys Phillip Vandry (Jun 28)
- Re: Best practices inquiry: tracking SSH host keys Allen Parker (Jun 28)
  - Re: Best practices inquiry: tracking SSH host keys Jeroen Massar (Jun 28)
    - Re: Best practices inquiry: tracking SSH host keys Simon Leinen (Jun 29)
  - Re: Best practices inquiry: tracking SSH host keys David W. Hankins (Jun 29)
    - Re: Best practices inquiry: tracking SSH host keys Christopher L. Morrow (Jun 29)