[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On 15/08/13 18:20, Simon Waters wrote: > Curious how folk manage this. > > Most of the time life has been simple enough that I can manage it by Simon knows > if the server was just reinstalled because Simon just reinstalled it approach. > > It relies on fallible humans, and it doesn't scale, and frankly wasn't THAT > secure, but then it didn't have to be. > > I know they can go in the DNS (although the DNS then ought to be cryptographically > secured (probably not a problem - GoDaddy do it for a few dollar a month but not > sure I'd want to use them for work stuff, but solutions exists here which are > cheap and easy to do). No sniggering about .GOV at the back. > > But what is the preferred method for the more paranoid amongst you? > > My primary goal is to make a new key message, or a mismatching key message, rare > enough that people will have time to stop and think when they see one, rather than > just adding it, or removing a stale entry (you all know what I mean, even if you > don't do it). > > It isn't a high priority - so solutions have to be lightweight and not demand much > of the users of ssh (hence the DNS being interesting). > > Simon SSHFP all the way: but you need to control the DNS servers as well (which had better be DNSSEC enabled, otherwise you're half-assing the job). I have so many SSH keys to manage that the "Simon knows if the server was just reinstalled because Simon just reinstalled it" method, which also worked fine for me for a long time, stopped scaling way back. But I don't control the DNS at every place I work for, so this doesn't work everywhere. Ultimately, you have to train your admins - and yourself - to not just blindly click/tap through those warnings: we've all done it. And seriously, f**k GoDaddy. Never use them for anything, ever. There are no exceptions to this rule. Regards -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq