On Wed, Aug 1, 2018 at 11:17 AM, Simone Piccardi <[email protected]> wrote: > Il 01/08/2018 17:00, Bryan Smith ha scritto: >> Understanding (even if not implementing, although that's getting >> debatable in my view) SSH host keys should be level 1 in my opinion. >> > That's understanding key fingerprint and known hosts for me. Not > changing SSH server host keys or reconfiguring them, or using a SSH-CA.
But it's becoming more than that now. That's why I'm almost at the point that understanding keys is almost a level 1 requirement. Because junior admins are dolling out instances, especially containers. As far as SSH-CA, for on-premise infrastructure (not off-premise, which gets more tricky, lots of Federation and/or 3rd parties), most everyone is using SSSD (sss-ssh-authorizedkeys) now, typically to a Directory Service. It can be any number, and doesn't need to be 389-based (e.g., FreeIPA). Both OpenLDAP and eDirectory can do the same schema too, and many do (e.g., US Treasury w/eDirectory). But that's definitely level 2. - bjs -- Bryan J Smith - http://www.linkedin.com/in/bjsmith E-mail: b.j.smith at ieee.org or me at bjsmith.me _______________________________________________ lpi-examdev mailing list [email protected] http://list.lpi.org/cgi-bin/mailman/listinfo/lpi-examdev
