Do ssh keys expire? -- was -- Re: Looking for a working example of sshd_config setup fille
Jeffrey Walton
noloader at gmail.com
Tue Aug 19 10:06:47 UTC 2025
On Tue, Aug 19, 2025 at 4:36 AM David Fletcher <dave at thefletchers.net>
wrote:
> [...]
>
> I just want to ask a question because I've been watching this thread,...
>
> Question - Will I at some time need to create new keys? My id_rsa and
> id_rsa.pub files are dated 2007-12-29.
>
The only time you should rotate a key or a password is, if you believe the
key or password has been compromised or have evidence it was compromised.
That's because Key Continuity is a better security property than
gratuitous Key Rotation based on the tasseomancer reading tea leaves.
In fact, the StrictHostKeyChecking _is_ key continuity scheme used in
SSH. StrictHostKeyChecking is based on an early experiment called
Perspectives in SSH, if I recall correctly.
If you ask the tasseomancer where he or she came up with the 2 years public
key rotation or the 90 days password rotation, they will not be able to
give you a science based answer. They will basically pull it out of their
ass in what Peter Gutmann calls "crypto-numerology".
For detailed reading on key continuity and failed password policies, see
Peter Gutmann's Engineering Security, <
https://www.cs.auckland.ac.nz/~pgut001/pubs/book.pdf>.
Jeff
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20250819/4f1b3fbb/attachment.html>
More information about the ubuntu-users
mailing list