North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: secure router access
Curtis Villamizar writes: > With ssh, the ssh key identity can't be revoked. Instead you need to > find all .slogin files for all the accounts on all the machines and > routers and make sure they aren't listed under an assigned name or a > pseudoname they chose and didn't tell you about (an impossible task), > plus insure that any machine (like their home machine) that they have > access to doesn't appear in any .shosts files. A script can do that without much effort. > Given 1,000 machines (for example) which sounds harder to do? If you have 1,000 machines, neither is particularly more difficult than the other. With 1,000 machines, you need a database driven management system anyway. If you are trying to manually maintain accounts on 1,000 hosts, you've done something terribly wrong. Personally, I prefer SSH for a bunch of reasons, but I'll admit that at this scale, K5 with 3DES would do as good a job. 1DES K4 is *not* sufficiently secure, though, IMHO. Perry
|