Best practices inquiry: tracking SSH host keys

Christopher L. Morrow christopher.morrow at
Fri Jul 7 03:58:43 UTC 2006

On Thu, 6 Jul 2006, Steven M. Bellovin wrote:

> On Thu, 29 Jun 2006 19:43:48 +0000 (GMT), "Christopher L. Morrow"
> <christopher.morrow at> wrote:
> >
> > On Thu, 29 Jun 2006, David W. Hankins wrote:
> >
> > > So, here's my "why not just":
> > >
> > > 	Why not just use Kerberos?
> > >
> >
> > apparently kerberos scares people... I'm not sure I 'get' that, but :( A
> > corp security group once for a long time 'didnt believe in kerberos',
> > some people 'get it' some don't :(
> >
> Kerberos is a single point of failure; that scares people.  You *know* you
> have to keep the Kerberos server locked down tight, highly available (very
> tricky for some ISP scenarios!), etc.

remote datacenters, firewall/ipf/ipfw/iptables/blah, disable local
console, only absolutely necessary user accounts... there are other
protections, but really, make 10 copies spread them around your 'network'.
It's not that bad, really.

> SSH is a distributed single point of failure, just like the old thick
> yellow Ethernet.  Remember how reliable and easy to debug that was?
> More seriously, the original virtue of SSH was that it could be deployed
> without centralized infrastructure.  That's great for many purposes; it's
> exactly what you don't want if you're an ISP managing a lot of servers and
> network elements.  You really do want a PKI, complete with CRLs.  I know

ssh+kerb works, well... so do kerberized r* services... I'm not sure I see
how they are that different from PKI. There may be some advantages to PKI,
but there are risks and operational concerns as well. I suppose people
should pick what works for them...

> that (most) SSH implementations don't do that -- complain to your vendor.
> (Note: the CAs are also single points of failure.  However, they can be
> kept offline or nearly so, booted from a FooLive CD that logs to a
> multi-session CD or via a write-only network port through a tight
> firewall, etc.  Yes, you have to worry about procedures, physical access,
> and people, but you *always* have to worry about those.

right, just like kerberos... I do admit I'm a fan of kerberos, run it at
home even. anyway :) there are obviously many ways to skin this cat.

More information about the NANOG mailing list