[c-nsp] SSH Authoized Keys?
Gert Doering
gert at greenie.muc.de
Sun May 11 09:13:42 EDT 2008
Hi,
On Fri, May 09, 2008 at 06:41:05PM +0100, Colin Whittaker wrote:
> The answer I have heard from Cisco is that doing so would place a
> runtime dependancy on the storage.
> It is reasonably safe to erase the nvram and format the flash on a
> running box. If your authorised keys file was on the flash or nvram then
> it failing would lock you out of the device.
>
> You could put the keys into the config but the config could get messy.
They seem to be able to handle that for things like IPSEC key material
just fine (or with the system's RSA host keys).
Sounds like major "we don't want to think about it, so we come back with
valid-sounding bullshit" to me.
Not like the SSH implementation in IOS is an example for well-behaving
code otherwise... (I have a TAC case open since over a year on a SSH
client bug - the case is "release pending" and everybody plays dead).
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert at greenie.muc.de
fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
Url : https://puck.nether.net/pipermail/cisco-nsp/attachments/20080511/a47f9841/attachment.bin
More information about the cisco-nsp
mailing list