[j-nsp] protect ssh and telnet

Saku Ytti saku at ytti.fi
Tue Apr 5 10:26:06 EDT 2016


On 5 April 2016 at 16:53, Patrick Okui <pokui at psg.com> wrote:
> I personally take an event that changes the host key the same as having a
> new host (irrespective of platform). Usually those events have a human doing
> the changes in the similar way that deploying a new one would.
>
> I therefore apply the same policy I would as if it was new kit. Tedious I
> know, but SSH wasn’t really designed to make it easy to verify keys via
> third parties.
>
> I’ve currently taken to maintaining SSHFP DNS records (rfc4255) and this
> seems to work pretty well for me (in signed zones of course).

Damn 1 percenters!

Seriously this is the right solution today, but in practice it's too
hard to most and those would benefit from the compromise of carrying
secret in config.

-- 
  ++ytti


More information about the juniper-nsp mailing list