Dirk-Jan van Helmond <c-...@djvh.nl> wrote:
>
> Don't use RSA authentication for automated processes?
>
Use local accounts, or if your devices support it SSH public keys are a
handy option. To be honest you would be crazy to rely just on RSA
authentication as if your RADIUS server is dead you will not be able to
log into *any* of your switching infrastructure...oh your RADIUS server
might be dead because of a network issue :)
Also why VoIP is great, no support calls to deal with when there are
problems :)
So in short, you *have* to have a local backup account...even if it is
only accessible via a serial console server.
> If the authentication isn't being sent plaintext, there is no added
> security in using one time passwords for automated processes.
>
I have to take grumblings against that. OTP's go a good way to stop
bruteforce attacks[1] and also goes a long way to *prove* that the
person logging in has not had their credentials p0wned.
Cheers
[1] well if you are using naff pincode jobs (RSA or HOTP for example),
then maybe it is pointless not but rfc2289 is rather good
--
Alexander Clouter
.sigmonster says: Girls are better looking in snowstorms.
-- Archie Goodwin
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
