Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Bootable CD w/OS for firewall



On Wed, Sep 15, 2004 at 10:03:19AM -0400, Derek Atkins wrote:
> miah <jjohnson at sunrise-linux.com> writes:
> 
> > You keep your ssh key on your firewall?  Sounds like a bad idea to me,
> 
> Of course..  The SSH Server key.  It's not a bad idea -- it's the only
> way to get secure service!  I've also got a Kerberos Keytab on the
> box, but that's relatively easy to replace (as is the SSH key),
> frankly.

Honestly, how many people here know SSH Key Fingerprint of their
server?  Ask that same question to your users.  I'm willing to bet
that most people will just 'click' "yes" or "accept" or still connect
if the server key has changed.

Also, how many people here inform their users what the ssh server key
fingerprint should be before the user ever logs in?

Though, that doesn't mean you shouldn't notify users of a keychange.

To most users, ssh is the telnet that asks you if you are sure you
want to connect to a server, and talks about some key stuff.

> > ipsec, you have to, but you can issue a new key easily, so its not a
> > big deal.
> 
> "not a big deal"?  It's still a pain.  I have to contact each of my
> ipsec peers and get THEM to reconfigure with my new key..  I have to
> go to all the ssh clients and fix their .ssh/known_hosts files.
> 
> Rekeying is not a 2-second process.  It's not even a 2-minute process.
> It can take hours.
> 
> Quite a pain.

While its definately not a 2 second process, its not as much of a pain
as it is to get a new SSL Cert from verisign.

If you have multiple ipsec peers you probably aren't running
smoothwall either.  And hopefully you have a process in place for
'when the shit hits the fan' so that while it is a pain, it doesn't
turn into a huge pain.

-miah




BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org