Best practices inquiry: tracking SSH host keys

Christopher L. Morrow christopher.morrow at
Fri Jul 7 04:02:23 UTC 2006

On Thu, 6 Jul 2006, Jeremy Chadwick wrote:

> On Thu, Jul 06, 2006 at 04:52:52PM -0400, Steven M. Bellovin wrote:
> > On Thu, 29 Jun 2006 19:43:48 +0000 (GMT), "Christopher L. Morrow"
> > <christopher.morrow at> wrote:
> > > apparently kerberos scares people... I'm not sure I 'get' that, but :( A
> > > corp security group once for a long time 'didnt believe in kerberos',
> > > some people 'get it' some don't :(
> > >
> > Kerberos is a single point of failure; that scares people.  You *know* you
> > have to keep the Kerberos server locked down tight, highly available (very
> > tricky for some ISP scenarios!), etc.
> Speaking purely from a system administration point of view, Kerberos
> is also a nightmare.  Not only does the single-point-of-failure
> induce red flags in most SAs I know (myself included), but having
> to "kerberise" every authentication-oriented binary on the system
> that you have is also a total nightmare.  Kerberos 4 is also
> completely incompatible with 5.  Let's also not bring up the issue
> of globally-readable Kerberos tickets laying around /tmp on
> machines which use Kerberos, okay?  ;-)

these really are issues of 1994 (or before) most things people care about
are kerberized or could be substituted with things that are kerberized.

> Admittedly, the rebuttals to this are a) "most things use PAM which
> can use Kerberos transparently" and b) "most network utilities
> these days support Kerberos".  I run into things every day that
> don't support neither Kerberos or PAM.

I've not run into them, but I've not been looking hard since most of what
I do uses it...

> The bottom line is that SSH is "easier", so more people will use
> it.  That may not be the best attitude, I'll admit, but that's
> reality.

ssh+kerb works, even out of the box without the nasty patch-foo you used
to have to live with. It even uses kerb tickets to make up host keys on
the fly (in v2), so you don't have to worry about someone stealing your
host key and finding a way into your tunnel that way anymore.

> At my current workplace, our SAs + developers wrote a distributed
> key system (client + daemon) that runs on all of our machines.  It

anyone do a security assessment of that? :( is it better/worse than the
alternatives? I honestly don't know, I'm just asking to make a point.
Folks have been beating on kerberos for a long time...

anyway :) cats with skin, there are many ways to remove said skin.

More information about the NANOG mailing list