Serge from BabkaMay 1, 2025

Every decade or so the recommendations on best practices change, so I'm curious on the current best practices around SSH keys stored on a device (eg a laptop).

If we believe that the best practice currently is to have a new private key per client device (ie for each laptop, desktop, or phone) that one connects to a server from, then that opens the question in my mind of what are folks doing for passphrases for these keys.

Obviously the ideal would be very strong, unique passphrases per device, but then if one has 4+ devices, this can get fairly challenging to remember.

Do you use passphrases on per-device keys?
Do you re-use the passphrase across keys?
Do you forgo traditional ssh keys stored on the computer in favor of Yubikeys?
Do you have tools to help you manage which keys are on which hosts so you can retire or revoke them as necessary?

#SSH #InfoSec

Show threadSerge from BabkaMay 1, 2025

I'm going to give some unsolicited thoughts on this beyond my own question in hopes someone tells me why I'm wrong.

I think per client-device keys are the right approach. If your laptop is lost or stolen, then this should make it easy to revoke that keypair.

The problem is we don't seem to have good tooling around revocation. If my laptop is stolen, I want to be able to revoke that key quickly and easily. Similarly I want to be able to quickly and easily introduce a new keypair for a new device, eg "I got a new laptop. Let me run this script where I use existing keys to validate the propagation of my new public key"

1/2

#Infosec

Show threadviqMay 1, 2025
@serge ha, that sounds like you're describing SSH CA ;)
Show threadSerge from BabkaMay 1, 2025

@viq

I don't quite get what this gives me in terms of the challenges I mentioned, specially distribution and revocation.

Are you saying we tell the clients "Trust any key by this CA?"

If I do that, how do I revoke a key?

Show threadviqMay 1, 2025
@serge with CA your key also needs a certificate signed by CA. That certificate can be valid for say 15 minutes. Without key certificate doesn't give you anything. Without certificate key doesn't give you anything.
Show threadSerge from Babka

@viq

Ah! So it's as much a service as a signing authority. Can you point me to a resource on this?

May 1, 2025 at 5:32pmWeb
Show threadviqMay 1, 2025
@serge it's somewhat like with TLS - you can use openssl to generate CA key and cert and then sign certificates with it, or you can use one of a myriad of scripts and services that make it easier in various ways.
I know Hashicorp Vault does it, I think Teleport does, smallstep CA has something there as well. There most likely are others.
Show threadviqMay 1, 2025
@serge From a very quick search, https://liw.fi/sshca/ seems to have some basic info and links.
SSH CA host and user certificates

Show threadSerge from BabkaMay 1, 2025

@viq

Thanks! I'm a little unclear on this stuff so will read! I appreciate your help!

Show threadviqMay 1, 2025
@serge feel free to ask :)