On 20130727_140629, Henrique de Moraes Holschuh wrote: > On Sat, 27 Jul 2013, Brian wrote: > > On Sat 27 Jul 2013 at 12:05:05 +0300, Lars Noodén wrote: > > > On 07/26/2013 11:26 PM, Brian wrote: > > > > Does this 'good idea' have reasons to support it? > > > > > > It is for much the same reasons that passwords are rotated. It was > > > mainly this draft that convinced me: > > > > > > http://datatracker.ietf.org/doc/draft-ylonen-sshkeybcp/?include_text=1 > > > > > > It mentions rotating the keys in several places. > > > > Thank you, that was an interesting read. The focus of the draft is on > > organisations which utilise SSH keys extensively, so in such a situation > > I can understand a recommendation for key rotation because ignoring it > > may have disastrous consequences. Users with small networks and with > > well managed access to them would rarely have a need to change passwords > > or keys at predetermined intervals. > > If you have that key sitting anywhere outside of a hardened smartcard, you > should rotate it every so often, in case someone managed to snag a copy of > it while you were not paying attention. It is NOT too much pain to rotate > keys once an year, unless you're doing it wrong in the first place. > > It is also good practice to never share the same key across hosts (or if > that's impratical, across security domains), and to have specific keys for
I'm lurking here, hoping to learn things: In this case, what is a 'security domain'? Don't make fun of me. I really haven't, to my memory, come across the term, before. > specific services. This practice can greatly reduce the damage caused by a > compromised key. > -- Paul E Condon pecon...@mesanetworks.net -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130727222740.GA19973@big