[91078] in North American Network Operators' Group
Re: Best practices inquiry: tracking SSH host keys
daemon@ATHENA.MIT.EDU (Christopher L. Morrow)
Thu Jun 29 15:44:30 2006
Date: Thu, 29 Jun 2006 19:43:48 +0000 (GMT)
From: "Christopher L. Morrow" <christopher.morrow@verizonbusiness.com>
In-reply-to: <20060629162849.GE11742@isc.org>
To: "David W. Hankins" <David_Hankins@isc.org>
Cc: nanog@nanog.org
Errors-To: owner-nanog@merit.edu
On Thu, 29 Jun 2006, David W. Hankins wrote:
> On Wed, Jun 28, 2006 at 06:07:33PM -0700, Allen Parker wrote:
> > Why not, on a regular basis, use ssh-keyscan and diff or something
> > similar, to scan your range of hosts that DO have ssh on them (maybe
--snip-200-words-or-less---
>
> _wow_.
>
> That's a massive "why not just" paragraph. I can only imagine how
> long a paragraph you'd write for finding and removing ex-employee's
> public keys from all your systems.
>
>
> So, here's my "why not just":
>
> Why not just use Kerberos?
>
apparently kerberos scares people... I'm not sure I 'get' that, but :( A
corp security group once for a long time 'didnt believe in kerberos',
some people 'get it' some don't :(
