On Thu, Jun 29, 2006 at 09:28:49AM -0700, David W. Hankins wrote:
On Wed, Jun 28, 2006 at 06:07:33PM -0700, Allen Parker wrote:
Why not, on a regular basis, use ssh-keyscan and diff or something similar, to scan your range of hosts that DO have ssh on them (maybe nmap subnet scans for port 22?) to retrieve the host keys, compare them to last time the scan was run, see if anything changed, cross reference that with work orders by ip or any other identifiable information present, and let the tools do the work for you. Cron is your friend. Using rsync, scp, nfs or something similar it wouldn't be very difficult to upkeep an automated way of updating such a list once per day across your entire organization.
_wow_.
That's a massive "why not just" paragraph. I can only imagine how long a paragraph you'd write for finding and removing ex-employee's public keys from all your systems.
So, here's my "why not just":
Why not just use Kerberos?
I think that one possible answer to this question is that Kerberos is not well supported (if at all) on most commercial routers and switches. It would be nice to change that somehow. Of the routers that we use (cisco, Juniper, foundry, extreme) only cisco supports Kerberos (specifically Kerberized telnet), and only in some of their IOS images on some platforms. At least that was the case last time I checked. I'd love to be corrected .. The cisco implementation also had some deployment issues for us (poor integration with authz mechanisms among other things). And during a competitive eval a few years back, one router vendor even delivered to us a signed letter from the CEO promising that they'd implement Kerberized telnet in a few months. They still haven't delivered. That's the last time we fall for that trick :-) I don't know of any vendors that have Kerberized ssh on their roadmaps. SSH2 with gssapi key exchange, RFC 4462 would be ideal, which we do run on a variety of UNIX servers here. As for verifying host keys with SSH, there is one project that provides x.509 certificate authority integration for openssh: http://www.roumenpetrov.info/openssh/ It can even check an OCSP server for revocation status! But presumably you'll have to get this functionality implemented on your router's ssh server .. --- Shumon Huque 3401 Walnut Street, Suite 221A, Network Engineering Philadelphia, PA 19104-6228, USA. Information Systems & Computing (215)898-2477, (215)898-9348 (Fax) University of Pennsylvania / MAGPI. E-mail: shuque -at- isc.upenn.edu