secure router access

Perry E. Metzger perry at
Thu May 28 13:05:07 UTC 1998

Curtis Villamizar writes:
> With ssh, the ssh key identity can't be revoked.  Instead you need to
> find all .slogin files for all the accounts on all the machines and
> routers and make sure they aren't listed under an assigned name or a
> pseudoname they chose and didn't tell you about (an impossible task),
> plus insure that any machine (like their home machine) that they have
> access to doesn't appear in any .shosts files.

A script can do that without much effort.

> Given 1,000 machines (for example) which sounds harder to do?

If you have 1,000 machines, neither is particularly more difficult
than the other. With 1,000 machines, you need a database driven
management system anyway. If you are trying to manually maintain
accounts on 1,000 hosts, you've done something terribly wrong.

Personally, I prefer SSH for a bunch of reasons, but I'll admit that
at this scale, K5 with 3DES would do as good a job. 1DES K4 is *not*
sufficiently secure, though, IMHO.


More information about the NANOG mailing list