My ssh keys are oldMany times I had the Idea to replace them and cleanup. Put the approach feels old not intuitive and i’m affraid of problems.
How do you manage keys and get sure they do ot get to old.
My ssh keys are oldMany times I had the Idea to replace them and cleanup. Put the approach feels old not intuitive and i’m affraid of problems.
How do you manage keys and get sure they do ot get to old.
I moved over to certificates a while ago.
https://smallstep.com/blog/use-ssh-certificates/
Welp time to add this to the backlog of things I wanna do
That’s a really interesting read, thanks for sharing
So what happens when the certificate expires? Do you get locked out if you don’t have physical access?
Like the other commenter said, they’re expiring regularly. Host keys expire ~monthly and there’s a cronjob to reach out to the certificate authority server to renew them. User certs expire ~daily and the first time I ssh on any given day I have to authenticate with the CA. Recently tied it to PocketID for SSO.
Sooo, CA unreachable means connection dead, which is a manageable risk. But giving a third party the authority over my SSH access sounds like a great way to make it convenient for state actors to invade my privacy.
CA unreachable means no renewals, but identity verification (login) is offline. As long as certs renewed fine, connection to the CA is not needed.
I mean, the CA is also self hosted so I’m not sure what you think the extra attack vector is here.
Re-gen the keys. In this environment, you would have PKI setup and automation to handle cert renewal.
Having the certs expire is an advantage, security-wise. Auth will expire with certs, stolen creds can be instantly invalidated.