On Wed, Jun 28, 2006 at 06:07:33PM -0700, Allen Parker wrote:
Why not, on a regular basis, use ssh-keyscan and diff or something similar, to scan your range of hosts that DO have ssh on them (maybe nmap subnet scans for port 22?) to retrieve the host keys, compare them to last time the scan was run, see if anything changed, cross reference that with work orders by ip or any other identifiable information present, and let the tools do the work for you. Cron is your friend. Using rsync, scp, nfs or something similar it wouldn't be very difficult to upkeep an automated way of updating such a list once per day across your entire organization.
_wow_. That's a massive "why not just" paragraph. I can only imagine how long a paragraph you'd write for finding and removing ex-employee's public keys from all your systems. So, here's my "why not just": Why not just use Kerberos? -- David W. Hankins "If you don't do it right the first time, Software Engineer you'll just have to do it again." Internet Systems Consortium, Inc. -- Jack T. Hankins