On Wed, Jun 28, 2006 at 06:07:33PM -0700, Allen Parker wrote: > Why not, on a regular basis, use ssh-keyscan and diff or something > similar, to scan your range of hosts that DO have ssh on them (maybe > nmap subnet scans for port 22?) to retrieve the host keys, compare > them to last time the scan was run, see if anything changed, cross > reference that with work orders by ip or any other identifiable > information present, and let the tools do the work for you. Cron is > your friend. Using rsync, scp, nfs or something similar it wouldn't be > very difficult to upkeep an automated way of updating such a list once > per day across your entire organization.
_wow_.
That's a massive "why not just" paragraph. I can only imagine how
long a paragraph you'd write for finding and removing ex-employee's
public keys from all your systems.
So, here's my "why not just":
Why not just use Kerberos?
--
David W. Hankins "If you don't do it right the first time,
Software Engineer you'll just have to do it again."
Internet Systems Consortium, Inc. -- Jack T. Hankins
pgp4b9fjyYjsf.pgp
Description: PGP signature
