1 |
On Friday, 15 July 2022 14:44:10 CEST Neil Bothwick wrote: |
2 |
> On Fri, 15 Jul 2022 09:53:44 +0200, J. Roeleveld wrote: |
3 |
> > > There's no reason you cannot change SSH keys as regularly, and good |
4 |
> > > reasons why you should. It's just that people don't bother to do it. |
5 |
> > |
6 |
> > I agree, but that is a tedious process. |
7 |
> > |
8 |
> > I have multiple machines I use as desktop depending on where I am. And |
9 |
> > either I need to securely share the private keys between them or set up |
10 |
> > different keys per desktop. |
11 |
> > I assume the same is true for most people. |
12 |
> |
13 |
> I don't share keys, each desktop/laptop has its own keys. |
14 |
|
15 |
I agree this is more secure as you can remove potentially leaked keys |
16 |
individually. But with more devices, the amount of keys and places where these |
17 |
need to be removed increases. |
18 |
|
19 |
> > Never mind that access to the servers needs to be possible for others |
20 |
> > as well. |
21 |
> > |
22 |
> > Either way, to do this automatically, all the desktop machines need to |
23 |
> > be powered and running while changing the keys. |
24 |
> |
25 |
> Not if they use their own keys. It should be simple to script generating |
26 |
> a new key, then SSHing to a list of machines and replacing the old key |
27 |
> with the new one in authorized_keys. |
28 |
|
29 |
This script will need to be run by the individual user. I prefer to control |
30 |
this centrally. |
31 |
|
32 |
> > Changing passwords for servers and storing them in a password vault is |
33 |
> > easier to automate. |
34 |
> |
35 |
> Indeed it is, and now you've found a way to do what you want with |
36 |
> passwords, all is well. |
37 |
> |
38 |
> However, I will look at scripting regular replacements for SSH keys, for |
39 |
> my own peace of mind. |
40 |
|
41 |
Most security improvements start with "simple" questions like these :) |
42 |
|
43 |
Good luck with your scripts :) |
44 |
|
45 |
-- |
46 |
Joost |