[91070] in North American Network Operators' Group
Re: Best practices inquiry: tracking SSH host keys
daemon@ATHENA.MIT.EDU (David W. Hankins)
Thu Jun 29 12:29:22 2006
Date: Thu, 29 Jun 2006 09:28:49 -0700
From: "David W. Hankins" <David_Hankins@isc.org>
To: nanog@nanog.org
In-Reply-To: <9f2790160606281807n70b26d58r310d4e1136899c8a@mail.gmail.com>
Errors-To: owner-nanog@merit.edu
--JBi0ZxuS5uaEhkUZ
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
On Wed, Jun 28, 2006 at 06:07:33PM -0700, Allen Parker wrote:
> Why not, on a regular basis, use ssh-keyscan and diff or something
> similar, to scan your range of hosts that DO have ssh on them (maybe
> nmap subnet scans for port 22?) to retrieve the host keys, compare
> them to last time the scan was run, see if anything changed, cross
> reference that with work orders by ip or any other identifiable
> information present, and let the tools do the work for you. Cron is
> your friend. Using rsync, scp, nfs or something similar it wouldn't be
> very difficult to upkeep an automated way of updating such a list once
> per day across your entire organization.
_wow_.
That's a massive "why not just" paragraph. I can only imagine how
long a paragraph you'd write for finding and removing ex-employee's
public keys from all your systems.
So, here's my "why not just":
Why not just use Kerberos?
--
David W. Hankins "If you don't do it right the first time,
Software Engineer you'll just have to do it again."
Internet Systems Consortium, Inc. -- Jack T. Hankins
--JBi0ZxuS5uaEhkUZ
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFEo//BcXeLeWu2vmoRAh+GAJ96F3rNHElwQGAmDuTTqaILg11C9QCfa7eM
cp7sWrMbCwEFqpZ9Q5FPSEA=
=sHzH
-----END PGP SIGNATURE-----
--JBi0ZxuS5uaEhkUZ--
