Educause Security Discussion mailing list archives
Re: SSL/SSH certifiactes
From: Andy Fleming <afleming () KANREN NET>
Date: Fri, 14 May 2010 09:41:36 -0500
With regard to SSH keys, there is a method to put the public key in DNS and then have your SSH Client check DNS. See http://www.ietf.org/rfc/rfc4255.txt This of course assumes you somewhat trust DNS, which you can't totally do w/o DNSSEC. I have these records for a few of my servers and then use "VerifyHostKeyDNS ask" in the system wide OpenSSH Client settings on my Linux systems. Andy -- Andy Fleming - RHCE Systems Administrator Kansas Research and Education Network afleming () kanren net Office: 785-856-9800 x 201 KanREN - Advanced Network Solutions for the Research and Education Community On 7/22/64 1:59 PM, John Ladwig wrote:
<pre wrap> If it's SSH you're concerned about, and staff use a management Serer to initiate the SSH confections, you could exert a degree of control by disabling all users' host key stores, and manage an accurate host key store at the OS-wide level. At least on UNIX-like systems w/ OpenSSH. I dunno how many auditors that'd fly with, but the better ones should accept it, I'd think. -jml </pre><blockquote type=cite><blockquote type=cite><blockquote type=cite><pre wrap> Greg Washburn <gwashburn () MBC EDU> 2010-05-13 11:50 >>> </pre></blockquote></blockquote></blockquote><pre wrap> We tend to use self signed certs on the IOS devices you list below. Along with proper access lists and authorization restrictions we believe it provides more than adequate protection. Typically, only the IT staff connect to these devices and they would ignore the security prompts from an SSH or SSL management session. On our servers and publically accessible network devices (think vpn) we tend to utilize wildcard certs which saves a great deal of $$$s. Some of our devices do require that we do not use wildcard certs (NAC and older IBM servers come to mind). In other words should you go with a wildcard cert keep in mind that not all devices will support them. Greg Washburn CISSP, CCNA, MCSE Sr. Network/System Admin 540.887.7352 540.280.6087 Mary Baldwin College www.mbc.edu *From:* The EDUCAUSE Security Constituent Group Listserv [mailto: SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Entwistle, Bruce *Sent:* Thursday, May 13, 2010 12:02 PM *To:* SECURITY () LISTSERV EDUCAUSE EDU *Subject:* [SECURITY] SSL/SSH certifiactes We are currently reviewing our network security. One of the tools we are using in this process is reporting a vulnerability as a result of using self signed certificates on our Cisco IOS devices (switches, routers, access points) for ssh and ssl connections. Rather than purchase 300 certificates to address this issue I thought I would ask what others are doing in this area. Thank you Bruce Entwistle Network Manager University of Redlands
Current thread:
- SSL/SSH certifiactes Entwistle, Bruce (May 13)
- <Possible follow-ups>
- Re: SSL/SSH certifiactes Daniel Bennett (May 13)
- Re: SSL/SSH certifiactes Matthew Gracie (May 13)
- Re: SSL/SSH certifiactes Dexter Caldwell (May 13)
- Re: SSL/SSH certifiactes Greg Washburn (May 13)
- Re: SSL/SSH certifiactes John Ladwig (May 13)
- Re: SSL/SSH certifiactes Sam Hooker (May 13)
- Re: SSL/SSH certifiactes Andy Fleming (May 14)