Curtis Villamizar writes:
With ssh, the ssh key identity can't be revoked. Instead you need to find all .slogin files for all the accounts on all the machines and routers and make sure they aren't listed under an assigned name or a pseudoname they chose and didn't tell you about (an impossible task), plus insure that any machine (like their home machine) that they have access to doesn't appear in any .shosts files.
A script can do that without much effort.
Given 1,000 machines (for example) which sounds harder to do?
If you have 1,000 machines, neither is particularly more difficult than the other. With 1,000 machines, you need a database driven management system anyway. If you are trying to manually maintain accounts on 1,000 hosts, you've done something terribly wrong. Personally, I prefer SSH for a bunch of reasons, but I'll admit that at this scale, K5 with 3DES would do as good a job. 1DES K4 is *not* sufficiently secure, though, IMHO. Perry