Thursday, August 23, 2018

How do you store your fail-safe device credentials?

We're finally about to implement AAA across our entire network (yay!) and as part of that project, we will be generating fail-safe credentials to use in case access to the RADIUS servers is down.

  • How do you currently provide for fail-safe SSH access?
  • Where do you store these credentials?
  • How atomic are these credentials, per-device, per-site, global?
  • When do these get changed?
  • If you change them after use, how do you ensure this happens?

My boss jokingly wants to print these on colored paper and seal them in plastic so we can crack them open in an emergency, but I'm thinking a sealed envelope system containing the only plaintext is not a bad idea.



No comments:

Post a Comment