Serge from BabkaMay 1, 2025

Every decade or so the recommendations on best practices change, so I'm curious on the current best practices around SSH keys stored on a device (eg a laptop).

If we believe that the best practice currently is to have a new private key per client device (ie for each laptop, desktop, or phone) that one connects to a server from, then that opens the question in my mind of what are folks doing for passphrases for these keys.

Obviously the ideal would be very strong, unique passphrases per device, but then if one has 4+ devices, this can get fairly challenging to remember.

Do you use passphrases on per-device keys?
Do you re-use the passphrase across keys?
Do you forgo traditional ssh keys stored on the computer in favor of Yubikeys?
Do you have tools to help you manage which keys are on which hosts so you can retire or revoke them as necessary?

#SSH #InfoSec

Show threadviqMay 1, 2025
@serge if you can, there's now SSH CA, giving you certificates with limited life, and possibly embedded information which hosts it can connect to. This changes from "distribute key(s) to machine(s)" to "get your key signed" - which means you need to secure your CA signing key that much better.
*Personally* I think re-using passphrases across keys is not as bad, because if something is in position to get your key, it probably can sniff your password/phrase too.
Show threadSerge from BabkaMay 1, 2025

@viq

I'll give this a look, but maybe you can help me understand this.

Let's imagine I'm using my ssh private key stored on a Yubikey and then someone steals my Yubikey.

I want to be able to issue some kind of command from another client that says "Revoke access (ie delete the public key) for the Yubikey." - The problem is two fold:

1. I need a simple way to track where the Yubikey public keys are. I need a list of hosts.
2. I need a simple command to revoke the key, ie remove the entry from ~/.ssh/authorized_keys
3. I'd like a way to ensure that if someone tried #2 that they'd need some secondary validation otherwise the attacker that steals my Yubikey also gains the ability to lock me out too easily.

Show threadviq

@serge (1) and (2) sound like configuration management, or otherwise central key management (e.g. by hacking something with AuthorizedKeysCommand).

(3) sounds somewhat like multiple approvals (or signatures) or MFA for a code change.

May 1, 2025 at 12:41pmWeb