|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Best practices inquiry: tracking SSH host keys
On Wed, Jun 28, 2006 at 06:07:33PM -0700, Allen Parker wrote: > Why not, on a regular basis, use ssh-keyscan and diff or something > similar, to scan your range of hosts that DO have ssh on them (maybe > nmap subnet scans for port 22?) to retrieve the host keys, compare > them to last time the scan was run, see if anything changed, cross > reference that with work orders by ip or any other identifiable > information present, and let the tools do the work for you. Cron is > your friend. Using rsync, scp, nfs or something similar it wouldn't be > very difficult to upkeep an automated way of updating such a list once > per day across your entire organization. _wow_. That's a massive "why not just" paragraph. I can only imagine how long a paragraph you'd write for finding and removing ex-employee's public keys from all your systems. So, here's my "why not just": Why not just use Kerberos? -- David W. Hankins "If you don't do it right the first time, Software Engineer you'll just have to do it again." Internet Systems Consortium, Inc. -- Jack T. Hankins Attachment:
pgp00022.pgp
|