On Sat 27 Jul 2013 at 14:06:29 -0300, Henrique de Moraes Holschuh wrote: > On Sat, 27 Jul 2013, Brian wrote: > > > > Thank you, that was an interesting read. The focus of the draft is on > > organisations which utilise SSH keys extensively, so in such a situation > > I can understand a recommendation for key rotation because ignoring it > > may have disastrous consequences. Users with small networks and with > > well managed access to them would rarely have a need to change passwords > > or keys at predetermined intervals. > > If you have that key sitting anywhere outside of a hardened smartcard, you > should rotate it every so often, in case someone managed to snag a copy of > it while you were not paying attention. It is NOT too much pain to rotate > keys once an year, unless you're doing it wrong in the first place.
Something akin to that happening doesn't seem like 'well managed access'. Most people are capable of looking after the keys to their place of residence so it should not be too onerous to follow a decent practice for keeping their ssh keys/passwords safe. It goes through my mind that rotating keys on 1st January every year doesn't prevent lack of attention leading to the key being leaked a few days later. But I expect sizable organisations have a way of dealing with that. > It is also good practice to never share the same key across hosts (or if > that's impratical, across security domains), and to have specific keys for > specific services. This practice can greatly reduce the damage caused by a > compromised key. We are in agreement there. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/27072013184753.88b2f96a5...@desktop.copernicus.demon.co.uk
