North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Best practices inquiry: tracking SSH host keys

  • From: David W. Hankins
  • Date: Thu Jun 29 12:30:21 2006

On Wed, Jun 28, 2006 at 06:07:33PM -0700, Allen Parker wrote:
> Why not, on a regular basis, use ssh-keyscan and diff or something
> similar, to scan your range of hosts that DO have ssh on them (maybe
> nmap subnet scans for port 22?) to retrieve the host keys, compare
> them to last time the scan was run, see if anything changed, cross
> reference that with work orders by ip or any other identifiable
> information present, and let the tools do the work for you. Cron is
> your friend. Using rsync, scp, nfs or something similar it wouldn't be
> very difficult to upkeep an automated way of updating such a list once
> per day across your entire organization.


That's a massive "why not just" paragraph.  I can only imagine how
long a paragraph you'd write for finding and removing ex-employee's
public keys from all your systems.

So, here's my "why not just":

	Why not just use Kerberos?

David W. Hankins		"If you don't do it right the first time,
Software Engineer			you'll just have to do it again."
Internet Systems Consortium, Inc.		-- Jack T. Hankins

Attachment: pgp00022.pgp
Description: PGP signature