Re: Best practices inquiry: tracking SSH host keys

[Shumon Huque <shuque () isc upenn edu>]

On Thu, Jun 29, 2006 at 09:28:49AM -0700, David W. Hankins wrote:
> On Wed, Jun 28, 2006 at 06:07:33PM -0700, Allen Parker wrote:
> > Why not, on a regular basis, use ssh-keyscan and diff or something
> > similar, to scan your range of hosts that DO have ssh on them (maybe
> > nmap subnet scans for port 22?) to retrieve the host keys, compare
> > them to last time the scan was run, see if anything changed, cross
> > reference that with work orders by ip or any other identifiable
> > information present, and let the tools do the work for you. Cron is
> > your friend. Using rsync, scp, nfs or something similar it wouldn't be
> > very difficult to upkeep an automated way of updating such a list once
> > per day across your entire organization.
>
> _wow_.
>
> That's a massive "why not just" paragraph.  I can only imagine how
> long a paragraph you'd write for finding and removing ex-employee's
> public keys from all your systems.
>
>
> So, here's my "why not just":
>
>       Why not just use Kerberos?

I think that one possible answer to this question is that Kerberos
is not well supported (if at all) on most commercial routers and 
switches. It would be nice to change that somehow.

Of the routers that we use (cisco, Juniper, foundry, extreme) only
cisco supports Kerberos (specifically Kerberized telnet), and only 
in some of their IOS images on some platforms. At least that was the
case last time I checked. I'd love to be corrected ..

The cisco implementation also had some deployment issues for us (poor 
integration with authz mechanisms among other things). And during a 
competitive eval a few years back, one router vendor even delivered 
to us a signed letter from the CEO promising that they'd implement 
Kerberized telnet in a few months. They still haven't delivered. That's 
the last time we fall for that trick :-)

I don't know of any vendors that have Kerberized ssh on their
roadmaps. SSH2 with gssapi key exchange, RFC 4462 would be ideal, 
which we do run on a variety of UNIX servers here.

As for verifying host keys with SSH, there is one project that
provides x.509 certificate authority integration for openssh:

        http://www.roumenpetrov.info/openssh/

It can even check an OCSP server for revocation status! But 
presumably you'll have to get this functionality implemented
on your router's ssh server ..

---
Shumon Huque                            3401 Walnut Street, Suite 221A,
Network Engineering                     Philadelphia, PA 19104-6228, USA.
Information Systems & Computing         (215)898-2477, (215)898-9348 (Fax)
University of Pennsylvania / MAGPI.     E-mail: shuque -at- isc.upenn.edu