[ale] ssh for automated management

Mike Murphy mike at tyderia.net
Fri Dec 17 18:10:13 EST 2004 

the danger you have using either option is a man-in-the-middle sort of 
thing. Turning off known hosts checking means you might land on a 
machine pretending to be one of your managed machines. Using trusted 
hosts files could mean that someone could spoof your master machine's ip 
address and access each managed host as if they were you. So, either 
way, you'd be building a system that's insecure. I wouldn't really 
recommend doing either over the open internet, but on a secured private 
network, the risk might be acceptable.

Mike


David Corbin wrote:
> On Friday 17 December 2004 13:18, Mike Murphy wrote:
> 
>>you *could* turn known hosts checking off for this, I suppose. Or use a
>>single trusted hosts file instead. That would be a lot cheaper (no
>>public keys).
> 
> 
> Well, no public keys to idenitfy hosts, right?  To be honest, this client just 
> doesn't seem to care about security all that much.  I'm sure they're wiliing 
> to assume that the packets are going to the right machine.
> 
> 
>>Mike
>>
>>Jim Popovitch wrote:
>>
>>>I'm wondering just how big .ssh/known_hosts will be on your mgmt
>>>station.  At some point having multiple mgmt stations, or chrooted
>>>environments, might make good sense.  Parsing a 3GB known_hosts file for
>>>every SSH connection might present some problems.
>>>
>>>-Jim P.
>>>
>>>On Fri, 2004-12-17 at 11:56 -0500, David Corbin wrote:
>>>
>>>>We are considering using ssh as part of a solution for automated remote
>>>>managment of 10000+ node network, distributed at over 500 sites.  The
>>>>nodes being managed are NOT "standard desktop machines" (in terms of
>>>>software etc.), but more like "appliances".
>>>>
>>>>Ideally all the management would be done from one machine.
>>>>
>>>>Anyone want to suggest any likely problems we might encounter,
>>>>scale-wize?
>>>>
>>>>Thanks
>>>>David
>>>>_______________________________________________
>>>>Ale mailing list
>>>>Ale at ale.org
>>>>http://www.ale.org/mailman/listinfo/ale
>>>
>>>_______________________________________________
>>>Ale mailing list
>>>Ale at ale.org
>>>http://www.ale.org/mailman/listinfo/ale

-- 

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Mike Murphy
781 Inman Mews Drive Atlanta GA 30307
Landline: 404-653-1070
Mobile: 404-545-6234
Email: mike at tyderia.net
AIM: mmichael453
JDAM: 33:45:14.0584N  84:21:43.038W
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

More information about the Ale mailing list