[17238] in North American Network Operators' Group

home help back first fref pref prev next nref lref last post

Re: secure router access

daemon@ATHENA.MIT.EDU (Perry E. Metzger)
Thu May 28 09:12:15 1998

To: curtis@ans.net
cc: perry@piermont.com, Michael Dillon <michael@memra.com>, nanog@merit.edu
In-reply-to: Your message of "Wed, 27 May 1998 22:53:47 EDT."
             <199805280253.WAA01527@brookfield.ans.net> 
Reply-To: perry@piermont.com
Date: Thu, 28 May 1998 09:05:07 -0400
From: "Perry E. Metzger" <perry@piermont.com>


Curtis Villamizar writes:
> With ssh, the ssh key identity can't be revoked.  Instead you need to
> find all .slogin files for all the accounts on all the machines and
> routers and make sure they aren't listed under an assigned name or a
> pseudoname they chose and didn't tell you about (an impossible task),
> plus insure that any machine (like their home machine) that they have
> access to doesn't appear in any .shosts files.

A script can do that without much effort.

> Given 1,000 machines (for example) which sounds harder to do?

If you have 1,000 machines, neither is particularly more difficult
than the other. With 1,000 machines, you need a database driven
management system anyway. If you are trying to manually maintain
accounts on 1,000 hosts, you've done something terribly wrong.

Personally, I prefer SSH for a bunch of reasons, but I'll admit that
at this scale, K5 with 3DES would do as good a job. 1DES K4 is *not*
sufficiently secure, though, IMHO.

Perry

home help back first fref pref prev next nref lref last post