nanog mailing list archives
Re: Best practices inquiry: tracking SSH host keys
From: Shumon Huque <shuque () isc upenn edu>
Date: Sun, 9 Jul 2006 14:39:50 -0400
On Fri, Jul 07, 2006 at 10:18:35AM -0400, David Nolan wrote:
--On Thursday, July 06, 2006 18:22:48 -0700 Jeremy Chadwick <nanog () jdc parodius com> wrote:Speaking purely from a system administration point of view, Kerberos is also a nightmare. Not only does the single-point-of-failure induce red flags in most SAs I know (myself included),If a deployed kerberos environment has a single point of failure then its been deployed poorly. Kerberos has replication mechanisms to provide redundancy. The only think you can't replicate in K5 is the actual master, meaning that if the master is down you can't change passwords, create users, etc. While thats a single point of failure its not typically a real-time critical one.
Furthermore, it isn't impossible to design a multi-master Kerberos service. I can think of a number of designs, but it would have to be done carefully. I've heard people talking about this in the past, but I haven't yet seen any implementations. --Shumon.
Current thread:
- Re: Best practices inquiry: tracking SSH host keys Shumon Huque (Jul 01)
- <Possible follow-ups>
- Re: Best practices inquiry: tracking SSH host keys Steven M. Bellovin (Jul 06)
- Re: Best practices inquiry: tracking SSH host keys Jeremy Chadwick (Jul 06)
- Re: Best practices inquiry: tracking SSH host keys Christopher L. Morrow (Jul 06)
- Re: Best practices inquiry: tracking SSH host keys David Nolan (Jul 07)
- Re: Best practices inquiry: tracking SSH host keys Shumon Huque (Jul 09)
- Re: Best practices inquiry: tracking SSH host keys Jeremy Chadwick (Jul 06)
- Re: Best practices inquiry: tracking SSH host keys Christopher L. Morrow (Jul 06)
- Re: Best practices inquiry: tracking SSH host keys Shumon Huque (Jul 09)
- Re: Best practices inquiry: tracking SSH host keys Steven M. Bellovin (Jul 09)
- Re: Best practices inquiry: tracking SSH host keys Shumon Huque (Jul 09)