Re: SSL/SSH certifiactes

[Andy Fleming <afleming () KANREN NET>]

With regard to SSH keys, there is a method to put the public key in DNS
and then have your SSH Client check DNS.  See
http://www.ietf.org/rfc/rfc4255.txt  This of course assumes you somewhat
trust DNS, which you can't totally do w/o DNSSEC.  I have these records
for a few of my servers and then use "VerifyHostKeyDNS ask" in the
system wide OpenSSH Client settings on my Linux systems.

Andy

--
Andy Fleming - RHCE
Systems Administrator
Kansas Research and Education Network
afleming () kanren net
Office: 785-856-9800 x 201

KanREN
 - Advanced Network Solutions for the Research and Education Community


On 7/22/64 1:59 PM, John Ladwig wrote:
> <pre wrap>
>
> If it's SSH you're concerned about, and staff use a management Serer
> to initiate the SSH confections, you could exert a degree of control
> by disabling all users' host key stores, and manage an accurate host
> key store at the OS-wide level.  At least on UNIX-like systems w/ OpenSSH.
>
> I dunno how many auditors that'd fly with, but the better ones should
> accept it, I'd think.
>
>    -jml
>
> </pre><blockquote type=cite><blockquote type=cite><blockquote
> type=cite><pre wrap>
> Greg Washburn &lt;gwashburn () MBC EDU&gt; 2010-05-13 11:50 &gt;&gt;&gt;
> </pre></blockquote></blockquote></blockquote><pre wrap>
> We tend to use self signed certs on the IOS devices you list below.  Along
> with proper access lists and authorization restrictions we believe it
> provides more than adequate protection.  Typically, only the IT staff
> connect to these devices and they would ignore the security prompts
> from an
> SSH or SSL management session.
>
> On our servers and publically accessible network devices (think vpn)
> we tend
> to utilize wildcard certs which saves a great deal of $$$s.  Some of our
> devices do require that we do not use wildcard certs (NAC and older IBM
> servers come to mind).  In other words should you go with a wildcard cert
> keep in mind that not all devices will support them.
>
>
>
>
>
> Greg Washburn
>
> CISSP, CCNA, MCSE
>
> Sr. Network/System Admin
>
> 540.887.7352
>
> 540.280.6087
>
> Mary Baldwin College
>
> www.mbc.edu
>
>
>
>
>
>
>
> *From:* The EDUCAUSE Security Constituent Group Listserv [mailto:
> SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Entwistle, Bruce
> *Sent:* Thursday, May 13, 2010 12:02 PM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* [SECURITY] SSL/SSH certifiactes
>
>
>
> We are currently reviewing our network security.  One of the tools we are
> using in this process is reporting a vulnerability as a result of
> using self
> signed certificates on our Cisco IOS devices (switches, routers, access
> points) for ssh and ssl connections.  Rather than purchase 300
> certificates
> to address this issue I thought I would ask what others are doing in this
> area.
>
>
>
> Thank you
>
> Bruce Entwistle
>
> Network Manager
>
> University of Redlands