Joachim Schipper wrote: >> There's 400+ unix boxes. I know we can stick keys into >> authorized_keys, but managing it for a bunch of automated processes >> seems a bit unwieldy. > Have you considered Kerberos? You'll still have to add accounts (or use > LDAP, indeed), but at least you don't have to copy the keys everywhere. >
With some patches, you can use the krb5 host-keys instead of the ssh-host-keys. Then again, any site with 400+ boxes should really have most of them on a "automated install" procedure anyhow, so sending out authorized_keys using that should be a high priority.