Best practices inquiry: tracking SSH host keys

Jeremy Chadwick nanog at jdc.parodius.com
Fri Jul 7 01:22:48 UTC 2006


On Thu, Jul 06, 2006 at 04:52:52PM -0400, Steven M. Bellovin wrote:
> On Thu, 29 Jun 2006 19:43:48 +0000 (GMT), "Christopher L. Morrow"
> <christopher.morrow at verizonbusiness.com> wrote:
> > apparently kerberos scares people... I'm not sure I 'get' that, but :( A
> > corp security group once for a long time 'didnt believe in kerberos',
> > some people 'get it' some don't :(
> > 
> Kerberos is a single point of failure; that scares people.  You *know* you
> have to keep the Kerberos server locked down tight, highly available (very
> tricky for some ISP scenarios!), etc.

Speaking purely from a system administration point of view, Kerberos
is also a nightmare.  Not only does the single-point-of-failure
induce red flags in most SAs I know (myself included), but having
to "kerberise" every authentication-oriented binary on the system
that you have is also a total nightmare.  Kerberos 4 is also
completely incompatible with 5.  Let's also not bring up the issue
of globally-readable Kerberos tickets laying around /tmp on
machines which use Kerberos, okay?  ;-)

Admittedly, the rebuttals to this are a) "most things use PAM which
can use Kerberos transparently" and b) "most network utilities
these days support Kerberos".  I run into things every day that
don't support neither Kerberos or PAM.

The bottom line is that SSH is "easier", so more people will use
it.  That may not be the best attitude, I'll admit, but that's
reality.

At my current workplace, our SAs + developers wrote a distributed
key system (client + daemon) that runs on all of our machines.  It
handles distribution and receiving of SSH keys, creating home dirs,
and deciding who gets their public key stuck into
/root/.ssh/authorized_keys as well.  I haven't looked, but it wouldn't
surprise me if something like this was already available via
SourceForge or some other open-source publishing medium.

-- 
| Jeremy Chadwick                                 jdc at parodius.com |
| Parodius Networking                        http://www.parodius.com/ |
| UNIX Systems Administrator                   Mountain View, CA, USA |
| Making life hard for others since 1977.               PGP: 4BD6C0CB |




More information about the NANOG mailing list