| 1 |
On Friday, 15 July 2022 14:44:10 CEST Neil Bothwick wrote: |
| 2 |
> On Fri, 15 Jul 2022 09:53:44 +0200, J. Roeleveld wrote: |
| 3 |
> > > There's no reason you cannot change SSH keys as regularly, and good |
| 4 |
> > > reasons why you should. It's just that people don't bother to do it. |
| 5 |
> > |
| 6 |
> > I agree, but that is a tedious process. |
| 7 |
> > |
| 8 |
> > I have multiple machines I use as desktop depending on where I am. And |
| 9 |
> > either I need to securely share the private keys between them or set up |
| 10 |
> > different keys per desktop. |
| 11 |
> > I assume the same is true for most people. |
| 12 |
> |
| 13 |
> I don't share keys, each desktop/laptop has its own keys. |
| 14 |
|
| 15 |
I agree this is more secure as you can remove potentially leaked keys |
| 16 |
individually. But with more devices, the amount of keys and places where these |
| 17 |
need to be removed increases. |
| 18 |
|
| 19 |
> > Never mind that access to the servers needs to be possible for others |
| 20 |
> > as well. |
| 21 |
> > |
| 22 |
> > Either way, to do this automatically, all the desktop machines need to |
| 23 |
> > be powered and running while changing the keys. |
| 24 |
> |
| 25 |
> Not if they use their own keys. It should be simple to script generating |
| 26 |
> a new key, then SSHing to a list of machines and replacing the old key |
| 27 |
> with the new one in authorized_keys. |
| 28 |
|
| 29 |
This script will need to be run by the individual user. I prefer to control |
| 30 |
this centrally. |
| 31 |
|
| 32 |
> > Changing passwords for servers and storing them in a password vault is |
| 33 |
> > easier to automate. |
| 34 |
> |
| 35 |
> Indeed it is, and now you've found a way to do what you want with |
| 36 |
> passwords, all is well. |
| 37 |
> |
| 38 |
> However, I will look at scripting regular replacements for SSH keys, for |
| 39 |
> my own peace of mind. |
| 40 |
|
| 41 |
Most security improvements start with "simple" questions like these :) |
| 42 |
|
| 43 |
Good luck with your scripts :) |
| 44 |
|
| 45 |
-- |
| 46 |
Joost |
Archives