Best practices inquiry: tracking SSH host keys

• Previous message (by thread): Best practices inquiry: tracking SSH host keys
• Next message (by thread): Best practices inquiry: tracking SSH host keys
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Jun 28, 2006 at 06:07:33PM -0700, Allen Parker wrote:
> Why not, on a regular basis, use ssh-keyscan and diff or something
> similar, to scan your range of hosts that DO have ssh on them (maybe
> nmap subnet scans for port 22?) to retrieve the host keys, compare
> them to last time the scan was run, see if anything changed, cross
> reference that with work orders by ip or any other identifiable
> information present, and let the tools do the work for you. Cron is
> your friend. Using rsync, scp, nfs or something similar it wouldn't be
> very difficult to upkeep an automated way of updating such a list once
> per day across your entire organization.

_wow_.

That's a massive "why not just" paragraph.  I can only imagine how
long a paragraph you'd write for finding and removing ex-employee's
public keys from all your systems.


So, here's my "why not just":

	Why not just use Kerberos?

-- 
David W. Hankins		"If you don't do it right the first time,
Software Engineer			you'll just have to do it again."
Internet Systems Consortium, Inc.		-- Jack T. Hankins
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20060629/0ce358b5/attachment.sig>

• Previous message (by thread): Best practices inquiry: tracking SSH host keys
• Next message (by thread): Best practices inquiry: tracking SSH host keys
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]