On Friday, 15 July 2022 14:44:10 CEST Neil Bothwick wrote: > On Fri, 15 Jul 2022 09:53:44 +0200, J. Roeleveld wrote: > > > There's no reason you cannot change SSH keys as regularly, and good > > > reasons why you should. It's just that people don't bother to do it. > > > > I agree, but that is a tedious process. > > > > I have multiple machines I use as desktop depending on where I am. And > > either I need to securely share the private keys between them or set up > > different keys per desktop. > > I assume the same is true for most people. > > I don't share keys, each desktop/laptop has its own keys.
I agree this is more secure as you can remove potentially leaked keys individually. But with more devices, the amount of keys and places where these need to be removed increases. > > Never mind that access to the servers needs to be possible for others > > as well. > > > > Either way, to do this automatically, all the desktop machines need to > > be powered and running while changing the keys. > > Not if they use their own keys. It should be simple to script generating > a new key, then SSHing to a list of machines and replacing the old key > with the new one in authorized_keys. This script will need to be run by the individual user. I prefer to control this centrally. > > Changing passwords for servers and storing them in a password vault is > > easier to automate. > > Indeed it is, and now you've found a way to do what you want with > passwords, all is well. > > However, I will look at scripting regular replacements for SSH keys, for > my own peace of mind. Most security improvements start with "simple" questions like these :) Good luck with your scripts :) -- Joost
