On Sat, 27 Jul 2013, Brian wrote: > On Sat 27 Jul 2013 at 12:05:05 +0300, Lars Noodén wrote: > > On 07/26/2013 11:26 PM, Brian wrote: > > > Does this 'good idea' have reasons to support it? > > > > It is for much the same reasons that passwords are rotated. It was > > mainly this draft that convinced me: > > > > http://datatracker.ietf.org/doc/draft-ylonen-sshkeybcp/?include_text=1 > > > > It mentions rotating the keys in several places. > > Thank you, that was an interesting read. The focus of the draft is on > organisations which utilise SSH keys extensively, so in such a situation > I can understand a recommendation for key rotation because ignoring it > may have disastrous consequences. Users with small networks and with > well managed access to them would rarely have a need to change passwords > or keys at predetermined intervals.
If you have that key sitting anywhere outside of a hardened smartcard, you should rotate it every so often, in case someone managed to snag a copy of it while you were not paying attention. It is NOT too much pain to rotate keys once an year, unless you're doing it wrong in the first place. It is also good practice to never share the same key across hosts (or if that's impratical, across security domains), and to have specific keys for specific services. This practice can greatly reduce the damage caused by a compromised key. -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130727170629.gd1...@khazad-dum.debian.net