| > Your ssh key should never leave a host. If you need an ssh key for whatever reason from a host (for example, git pulls on a staging machine), you should generate one on that box and narrow it's scope in the machine that will receive it (eg, Gitlab Deployment Keys -- locked in read-only mode, single purpose). > The reason rotation isn't recommended is because it leads to bad practices (people just add a '1' to their password) To some degree. I personally rotate my keys whenever I change my personal/work device (perm. change), or, around every year or so. It's not a hard requirement, but just a personal preference. > it's a hassle ssh-keygen -b 4096 isn't a hassle... and if you do deployment properly it shouldn't be an issue to sync these keys (eg, an AD system holding public key, cloud directories like JumpCloud, etc can all sync the moment it's updated -- even Salt/Ansible/Chef/etc can do it easily, with modules pre-written to sync keys already). In any event, MFA is always a good idea. But, my biggest concern is that someone would leave ssh open to the public... the time it takes to setup an ACL or VPN to connect to the machine is hardly anything these days with the amount of automated tooling to do it... so why aren't people? |
I was referring to password rotation specifically with those points, not SSH key rotation, because the quote in my post was also in the context of password rotation.