[j-nsp] protect ssh and telnet
Saku Ytti
saku at ytti.fi
Tue Apr 5 06:18:01 EDT 2016
On 5 April 2016 at 13:02, Richard Hartmann <richih.mailinglist at gmail.com> wrote:
> Isn't a list of valid pubkeys enough? You can toss that into
> known_hosts or your equivalent automagically and be done with it.
But the keys changes on the router when RE is swapped. So you no
longer know it's the same device you've connected before. In all
networks I've worked with, this is 'solved' by not caring about key
changes. Which makes ssh pretty much same as telnet.
I would rather trust that configuration is secure and my employees
aren't going to MITM me and just keeps secret keys in config, so that
router can always use same keys and I could treat key changes as
alerts. It's not best possible solution, but it's very much superior
to not caring about key changes. And it's easy solution to deploy.
--
++ytti
More information about the juniper-nsp
mailing list