[c-nsp] RSA and rancid
Alexander Clouter
alex at digriz.org.uk
Wed Nov 11 05:12:49 EST 2009
Dirk-Jan van Helmond <c-nsp at djvh.nl> wrote:
>
> Don't use RSA authentication for automated processes?
>
Use local accounts, or if your devices support it SSH public keys are a
handy option. To be honest you would be crazy to rely just on RSA
authentication as if your RADIUS server is dead you will not be able to
log into *any* of your switching infrastructure...oh your RADIUS server
might be dead because of a network issue :)
Also why VoIP is great, no support calls to deal with when there are
problems :)
So in short, you *have* to have a local backup account...even if it is
only accessible via a serial console server.
> If the authentication isn't being sent plaintext, there is no added
> security in using one time passwords for automated processes.
>
I have to take grumblings against that. OTP's go a good way to stop
bruteforce attacks[1] and also goes a long way to *prove* that the
person logging in has not had their credentials p0wned.
Cheers
[1] well if you are using naff pincode jobs (RSA or HOTP for example),
then maybe it is pointless not but rfc2289 is rather good
--
Alexander Clouter
.sigmonster says: Girls are better looking in snowstorms.
-- Archie Goodwin
More information about the cisco-nsp
mailing list