Bootable CD w/OS for firewall

Derek Atkins warlord at MIT.EDU
Wed Sep 15 10:04:00 EDT 2004


miah <jjohnson at sunrise-linux.com> writes:

> You keep your ssh key on your firewall?  Sounds like a bad idea to me,

Of course..  The SSH Server key.  It's not a bad idea -- it's the only
way to get secure service!  I've also got a Kerberos Keytab on the
box, but that's relatively easy to replace (as is the SSH key),
frankly.

> ipsec, you have to, but you can issue a new key easily, so its not a
> big deal.

"not a big deal"?  It's still a pain.  I have to contact each of my
ipsec peers and get THEM to reconfigure with my new key..  I have to
go to all the ssh clients and fix their .ssh/known_hosts files.

Rekeying is not a 2-second process.  It's not even a 2-minute process.
It can take hours.

Quite a pain.

-derek

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord at MIT.EDU                        PGP key available



More information about the Discuss mailing list