North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: Best practices inquiry: tracking SSH host keys
- From: David W. Hankins
- Date: Thu Jun 29 12:30:21 2006
On Wed, Jun 28, 2006 at 06:07:33PM -0700, Allen Parker wrote:
> Why not, on a regular basis, use ssh-keyscan and diff or something
> similar, to scan your range of hosts that DO have ssh on them (maybe
> nmap subnet scans for port 22?) to retrieve the host keys, compare
> them to last time the scan was run, see if anything changed, cross
> reference that with work orders by ip or any other identifiable
> information present, and let the tools do the work for you. Cron is
> your friend. Using rsync, scp, nfs or something similar it wouldn't be
> very difficult to upkeep an automated way of updating such a list once
> per day across your entire organization.
That's a massive "why not just" paragraph. I can only imagine how
long a paragraph you'd write for finding and removing ex-employee's
public keys from all your systems.
So, here's my "why not just":
Why not just use Kerberos?
David W. Hankins "If you don't do it right the first time,
Software Engineer you'll just have to do it again."
Internet Systems Consortium, Inc. -- Jack T. Hankins
Description: PGP signature