Changing keys - SSH

This is a discussion on Changing keys - SSH ; Much ado is made these days about changing passwords on a regular basis. Something to do with Sarbox I think. What about changing keypairs? Is there any real benefit to trashing old keys and generating new ones every few months? ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: Changing keys

  1. Changing keys

    Much ado is made these days about changing passwords on a regular basis.
    Something to do with Sarbox I think. What about changing keypairs? Is
    there any real benefit to trashing old keys and generating new ones
    every few months? Normally I just use a strong passphrase and change it
    on my private key at the same time I change other passwords, but I was
    wondering what opinions others have on the subject.

  2. Re: Changing keys

    On 2006-05-19, Chuck wrote:

    > Much ado is made these days about changing passwords on a regular basis.
    > Something to do with Sarbox I think. What about changing keypairs? Is
    > there any real benefit to trashing old keys and generating new ones


    Probably not. Particularly as changing a password or key does not keep
    out someone who's previously had access and arranged to keep it with
    some sort of backdoor.

    Fred Cohen and Spaf have written about the logic (such as it is)
    of password aging.

    http://all.net/journal/netsec/1997-09.html

    http://www.cerias.purdue.edu/weblogs...neral/post-30/
    http://www.cerias.purdue.edu/weblogs...neral/post-32/


    Forced password aging is useful for spotting unused accounts
    but I think that's all.

    I suggest aiming for strong passwords and letting them remain a long time.
    (And a maximum length of 8 chars is not much good these days so use where
    possible one of the more modern password hashes.)

    One thing I especially dislike is the "password history" of N items
    usually combined with a MINIMUM password age. If someone realises
    they've just given their password to a phishing site they should be
    able to change all their passwords right away.

    If you must have a "password history" (and I don't much endorse that)
    at least measure it by age and not by length: e.g. you cannot reuse a
    password in a year. This means the actual length of the list (of hashes)
    that is stored and banned will vary but you can prevent someone reusing
    a recent password without needing to impose a minimum age.

    Of course there are sometimes actual reasons to change a password (other
    than age) e.g. you find that a Harry Potter character has been invented with
    the name of your password and before long all the crackers will be trying it.
    (Blast those stupid schoolkids with punctuation in their names!)

    --
    Elvis Notargiacomo master AT barefaced DOT cheek
    http://www.notatla.org.uk/goen/
    Powergen write "Why not stay with us" - let me count the ways!

  3. Re: Changing keys

    Chuck wrote:
    > Much ado is made these days about changing passwords on a regular
    > basis. Something to do with Sarbox I think. What about changing
    > keypairs? Is there any real benefit to trashing old keys and
    > generating new ones every few months? Normally I just use a strong
    > passphrase and change it on my private key at the same time I change
    > other passwords, but I was wondering what opinions others have on the
    > subject.


    Strong passphrases can be keystroke sniffed on rootkit-ed boxes, and private
    and public keys stolen by various means including setups where people put
    them on NFS shares, improperly secured boxes, etc.. So there is some use to
    doing this in a really secure environment.

    In such environments, I've tended to use ssh-agent for the "active" key and
    to store a deprecated key or two as needed, for targets that didn't get the
    most recent update of the public key.



+ Reply to Thread