On 5 April 2016 at 13:02, Richard Hartmann <richih.mailingl...@gmail.com> wrote:
> Isn't a list of valid pubkeys enough? You can toss that into > known_hosts or your equivalent automagically and be done with it. But the keys changes on the router when RE is swapped. So you no longer know it's the same device you've connected before. In all networks I've worked with, this is 'solved' by not caring about key changes. Which makes ssh pretty much same as telnet. I would rather trust that configuration is secure and my employees aren't going to MITM me and just keeps secret keys in config, so that router can always use same keys and I could treat key changes as alerts. It's not best possible solution, but it's very much superior to not caring about key changes. And it's easy solution to deploy. -- ++ytti _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp