ratatouilleDec 21

What is the best trategie to refresh ssh keys?

https://feddit.org/post/23282968

What is the best trategie to refresh ssh keys? - feddit.org

My ssh keys are oldMany times I had the Idea to replace them and cleanup. Put the approach feels old not intuitive and i’m affraid of problems. How do you manage keys and get sure they do ot get to old.

Show threadAbidanYreDec 22

I moved over to certificates a while ago.

smallstep.com/blog/use-ssh-certificates/

If you’re not using SSH certificates you’re doing SSH wrong

SSH has some pretty gnarly issues when it comes to usability, operability, and security. The good news is this is all easy to fix. SSH is ubiquitous. It’s the de-facto solution for remote administration of *nix systems. SSH certificate authentication makes SSH easier to use, easier to operate, and more secure.

Show threadcmnyboDec 22
So what happens when the certificate expires? Do you get locked out if you don’t have physical access?
Show threadAbidanYreDec 22
Like the other commenter said, they’re expiring regularly. Host keys expire ~monthly and there’s a cronjob to reach out to the certificate authority server to renew them. User certs expire ~daily and the first time I ssh on any given day I have to authenticate with the CA. Recently tied it to PocketID for SSO.
Show threadAnekdotelesDec 23
Sooo, CA unreachable means connection dead, which is a manageable risk. But giving a third party the authority over my SSH access sounds like a great way to make it convenient for state actors to invade my privacy.
Show threadmik
CA unreachable means no renewals, but identity verification (login) is offline. As long as certs renewed fine, connection to the CA is not needed.
Dec 24 at 7:00pmWeb