North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: Best practices inquiry: tracking SSH host keys
On Thu, 6 Jul 2006, Steven M. Bellovin wrote: > On Thu, 29 Jun 2006 19:43:48 +0000 (GMT), "Christopher L. Morrow" > <[email protected]> wrote: > > > > > On Thu, 29 Jun 2006, David W. Hankins wrote: > > > > > So, here's my "why not just": > > > > > > Why not just use Kerberos? > > > > > > > apparently kerberos scares people... I'm not sure I 'get' that, but :( A > > corp security group once for a long time 'didnt believe in kerberos', > > some people 'get it' some don't :( > > > Kerberos is a single point of failure; that scares people. You *know* you > have to keep the Kerberos server locked down tight, highly available (very > tricky for some ISP scenarios!), etc. remote datacenters, firewall/ipf/ipfw/iptables/blah, disable local console, only absolutely necessary user accounts... there are other protections, but really, make 10 copies spread them around your 'network'. It's not that bad, really. > > SSH is a distributed single point of failure, just like the old thick > yellow Ethernet. Remember how reliable and easy to debug that was? > > More seriously, the original virtue of SSH was that it could be deployed > without centralized infrastructure. That's great for many purposes; it's > exactly what you don't want if you're an ISP managing a lot of servers and > network elements. You really do want a PKI, complete with CRLs. I know ssh+kerb works, well... so do kerberized r* services... I'm not sure I see how they are that different from PKI. There may be some advantages to PKI, but there are risks and operational concerns as well. I suppose people should pick what works for them... > that (most) SSH implementations don't do that -- complain to your vendor. > (Note: the CAs are also single points of failure. However, they can be > kept offline or nearly so, booted from a FooLive CD that logs to a > multi-session CD or via a write-only network port through a tight > firewall, etc. Yes, you have to worry about procedures, physical access, > and people, but you *always* have to worry about those. > right, just like kerberos... I do admit I'm a fan of kerberos, run it at home even. anyway :) there are obviously many ways to skin this cat.