secure router access
Perry E. Metzger
perry at piermont.com
Thu May 28 13:05:07 UTC 1998
Curtis Villamizar writes:
> With ssh, the ssh key identity can't be revoked. Instead you need to
> find all .slogin files for all the accounts on all the machines and
> routers and make sure they aren't listed under an assigned name or a
> pseudoname they chose and didn't tell you about (an impossible task),
> plus insure that any machine (like their home machine) that they have
> access to doesn't appear in any .shosts files.
A script can do that without much effort.
> Given 1,000 machines (for example) which sounds harder to do?
If you have 1,000 machines, neither is particularly more difficult
than the other. With 1,000 machines, you need a database driven
management system anyway. If you are trying to manually maintain
accounts on 1,000 hosts, you've done something terribly wrong.
Personally, I prefer SSH for a bunch of reasons, but I'll admit that
at this scale, K5 with 3DES would do as good a job. 1DES K4 is *not*
sufficiently secure, though, IMHO.
More information about the NANOG