Have a system that expires SSH keys every 90th day

Clash Royale CLAN TAG#URR8PPP

up vote
3
down vote

favorite

I have a customer that now requires us to change every password every 90th day due to their interpretation of GDPR. That's fine for the web-based system we develop for them because we can just implement those rules. But they also require us to change the passwords on our SSH keys used to access the servers, which is, well, not fine.

1. Is it possible to change the password on an existing SSH key?


2. 
   

   If not, are there any tools we can use to handle this? I'm thinking:

   
   
   

   a. Create new keys.
   
   b. Distribute all public keys to existing servers.
   
   c. Remove existing public keys.
   
   d. Archive old private keys .

   
   
   

   I've read some posts here about Puppet, but as I understand it they aim to only solve the problem with distributing the public keys among the servers and not creating new keys every nth day? Should I go further with my research into Puppet?

   
   



3. What is the community standard when it comes to password retention and ssh keys? How do you do it?

puppet ssh-keys gdpr

share|improve this question

asked 1 hour ago

mr D

161

New contributor

mr D is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

• 
  
  
  

  
  4
  

  
  
  
  
  
  

  
  This topic seems to be better discussed on Information Security. The basic question already has an answer there.
  – Gerald Schneider
  49 mins ago
  

  
  
  
  

add a comment | 

up vote
3
down vote

favorite

I have a customer that now requires us to change every password every 90th day due to their interpretation of GDPR. That's fine for the web-based system we develop for them because we can just implement those rules. But they also require us to change the passwords on our SSH keys used to access the servers, which is, well, not fine.

1. Is it possible to change the password on an existing SSH key?


2. 
   

   If not, are there any tools we can use to handle this? I'm thinking:

   
   
   

   a. Create new keys.
   
   b. Distribute all public keys to existing servers.
   
   c. Remove existing public keys.
   
   d. Archive old private keys .

   
   
   

   I've read some posts here about Puppet, but as I understand it they aim to only solve the problem with distributing the public keys among the servers and not creating new keys every nth day? Should I go further with my research into Puppet?

   
   



3. What is the community standard when it comes to password retention and ssh keys? How do you do it?

puppet ssh-keys gdpr

share|improve this question

asked 1 hour ago

mr D

161

New contributor

mr D is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

• 
  
  
  

  
  4
  

  
  
  
  
  
  

  
  This topic seems to be better discussed on Information Security. The basic question already has an answer there.
  – Gerald Schneider
  49 mins ago
  

  
  
  
  

add a comment | 

up vote
3
down vote

favorite

up vote
3
down vote

favorite

I have a customer that now requires us to change every password every 90th day due to their interpretation of GDPR. That's fine for the web-based system we develop for them because we can just implement those rules. But they also require us to change the passwords on our SSH keys used to access the servers, which is, well, not fine.

1. Is it possible to change the password on an existing SSH key?


2. 
   

   If not, are there any tools we can use to handle this? I'm thinking:

   
   
   

   a. Create new keys.
   
   b. Distribute all public keys to existing servers.
   
   c. Remove existing public keys.
   
   d. Archive old private keys .

   
   
   

   I've read some posts here about Puppet, but as I understand it they aim to only solve the problem with distributing the public keys among the servers and not creating new keys every nth day? Should I go further with my research into Puppet?

   
   



3. What is the community standard when it comes to password retention and ssh keys? How do you do it?

puppet ssh-keys gdpr

share|improve this question

asked 1 hour ago

mr D

161

New contributor

mr D is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

I have a customer that now requires us to change every password every 90th day due to their interpretation of GDPR. That's fine for the web-based system we develop for them because we can just implement those rules. But they also require us to change the passwords on our SSH keys used to access the servers, which is, well, not fine.

1. Is it possible to change the password on an existing SSH key?


2. 
   

   If not, are there any tools we can use to handle this? I'm thinking:

   
   
   

   a. Create new keys.
   
   b. Distribute all public keys to existing servers.
   
   c. Remove existing public keys.
   
   d. Archive old private keys .

   
   
   

   I've read some posts here about Puppet, but as I understand it they aim to only solve the problem with distributing the public keys among the servers and not creating new keys every nth day? Should I go further with my research into Puppet?

   
   



3. What is the community standard when it comes to password retention and ssh keys? How do you do it?

puppet ssh-keys gdpr

puppet ssh-keys gdpr

share|improve this question

asked 1 hour ago

mr D

161

New contributor

mr D is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share|improve this question

asked 1 hour ago

mr D

161

New contributor

mr D is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share|improve this question

share|improve this question

asked 1 hour ago

mr D

161

New contributor

mr D is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

asked 1 hour ago

mr D

161

asked 1 hour ago

mr D

161

161

New contributor

mr D is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

New contributor

mr D is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

mr D is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

• 
  
  
  

  
  4
  

  
  
  
  
  
  

  
  This topic seems to be better discussed on Information Security. The basic question already has an answer there.
  – Gerald Schneider
  49 mins ago
  

  
  
  
  

add a comment | 

• 
  
  
  

  
  4
  

  
  
  
  
  
  

  
  This topic seems to be better discussed on Information Security. The basic question already has an answer there.
  – Gerald Schneider
  49 mins ago
  

  
  
  
  

4

4

This topic seems to be better discussed on Information Security. The basic question already has an answer there.
– Gerald Schneider
49 mins ago

This topic seems to be better discussed on Information Security. The basic question already has an answer there.
– Gerald Schneider
49 mins ago

add a comment | 

2 Answers
2

active

oldest

votes

up vote
2
down vote

Using AuthorizedKeysCommand some expiry mechanism could be implemented on the server side. From simple checking the file timestamp to something more complicated.

share|improve this answer

answered 49 mins ago

danblack

55638

add a comment | 

up vote
1
down vote

The answer to your first question: "Is it possible to change the password on an existing SSH key?" is yes. With openssh that is as simple as ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile]

The problem is that the password is in/on the private key file, which is a simple format that doesn't have support for an expiry date. Also a large part of the concept of key based authentication in ssh is that the private key is not centrally managed, it should only exist on the user's workstation which makes it nigh impossible to enforce a password expire policy on the private key.

---

Instead: in every environment I've been in before the password policy is on the user account object, not on the method used to access said account. When a password is expired or an account locked, all access methods get locked out including the ssh key.

Add multi-factor authentication when you need more security on an account.

---

But I'm curious what other people have done to address your valid concerns.

share|improve this answer

edited 13 mins ago

answered 30 mins ago

HBruijn♦

49.9k1079135

add a comment | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: true,
noModals: false,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

mr D is a new contributor. Be nice, and check out our Code of Conduct.

 

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f931430%2fhave-a-system-that-expires-ssh-keys-every-90th-day%23new-answer', 'question_page');

);

Post as a guest

Name Email

2 Answers
2

active

oldest

votes

2 Answers
2

active

oldest

votes

active

oldest

votes

active

oldest

votes

up vote
2
down vote

Using AuthorizedKeysCommand some expiry mechanism could be implemented on the server side. From simple checking the file timestamp to something more complicated.

share|improve this answer

answered 49 mins ago

danblack

55638

add a comment | 

up vote
2
down vote

Using AuthorizedKeysCommand some expiry mechanism could be implemented on the server side. From simple checking the file timestamp to something more complicated.

share|improve this answer

answered 49 mins ago

danblack

55638

add a comment | 

up vote
2
down vote

up vote
2
down vote

Using AuthorizedKeysCommand some expiry mechanism could be implemented on the server side. From simple checking the file timestamp to something more complicated.

share|improve this answer

answered 49 mins ago

danblack

55638

Using AuthorizedKeysCommand some expiry mechanism could be implemented on the server side. From simple checking the file timestamp to something more complicated.

share|improve this answer

answered 49 mins ago

danblack

55638

share|improve this answer

share|improve this answer

answered 49 mins ago

danblack

55638

answered 49 mins ago

danblack

55638

answered 49 mins ago

danblack

55638

55638

add a comment | 

add a comment | 

up vote
1
down vote

The answer to your first question: "Is it possible to change the password on an existing SSH key?" is yes. With openssh that is as simple as ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile]

The problem is that the password is in/on the private key file, which is a simple format that doesn't have support for an expiry date. Also a large part of the concept of key based authentication in ssh is that the private key is not centrally managed, it should only exist on the user's workstation which makes it nigh impossible to enforce a password expire policy on the private key.

---

Instead: in every environment I've been in before the password policy is on the user account object, not on the method used to access said account. When a password is expired or an account locked, all access methods get locked out including the ssh key.

Add multi-factor authentication when you need more security on an account.

---

But I'm curious what other people have done to address your valid concerns.

share|improve this answer

edited 13 mins ago

answered 30 mins ago

HBruijn♦

49.9k1079135

add a comment | 

up vote
1
down vote

The answer to your first question: "Is it possible to change the password on an existing SSH key?" is yes. With openssh that is as simple as ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile]

The problem is that the password is in/on the private key file, which is a simple format that doesn't have support for an expiry date. Also a large part of the concept of key based authentication in ssh is that the private key is not centrally managed, it should only exist on the user's workstation which makes it nigh impossible to enforce a password expire policy on the private key.

---

Instead: in every environment I've been in before the password policy is on the user account object, not on the method used to access said account. When a password is expired or an account locked, all access methods get locked out including the ssh key.

Add multi-factor authentication when you need more security on an account.

---

But I'm curious what other people have done to address your valid concerns.

share|improve this answer

edited 13 mins ago

answered 30 mins ago

HBruijn♦

49.9k1079135

add a comment | 

up vote
1
down vote

up vote
1
down vote

The answer to your first question: "Is it possible to change the password on an existing SSH key?" is yes. With openssh that is as simple as ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile]

The problem is that the password is in/on the private key file, which is a simple format that doesn't have support for an expiry date. Also a large part of the concept of key based authentication in ssh is that the private key is not centrally managed, it should only exist on the user's workstation which makes it nigh impossible to enforce a password expire policy on the private key.

---

Instead: in every environment I've been in before the password policy is on the user account object, not on the method used to access said account. When a password is expired or an account locked, all access methods get locked out including the ssh key.

Add multi-factor authentication when you need more security on an account.

---

But I'm curious what other people have done to address your valid concerns.

share|improve this answer

edited 13 mins ago

answered 30 mins ago

HBruijn♦

49.9k1079135

The answer to your first question: "Is it possible to change the password on an existing SSH key?" is yes. With openssh that is as simple as ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile]

The problem is that the password is in/on the private key file, which is a simple format that doesn't have support for an expiry date. Also a large part of the concept of key based authentication in ssh is that the private key is not centrally managed, it should only exist on the user's workstation which makes it nigh impossible to enforce a password expire policy on the private key.

---

Instead: in every environment I've been in before the password policy is on the user account object, not on the method used to access said account. When a password is expired or an account locked, all access methods get locked out including the ssh key.

Add multi-factor authentication when you need more security on an account.

---

But I'm curious what other people have done to address your valid concerns.

share|improve this answer

edited 13 mins ago

answered 30 mins ago

HBruijn♦

49.9k1079135

share|improve this answer

share|improve this answer

edited 13 mins ago

edited 13 mins ago

edited 13 mins ago

answered 30 mins ago

HBruijn♦

49.9k1079135

answered 30 mins ago

HBruijn♦

49.9k1079135

answered 30 mins ago

HBruijn♦

49.9k1079135

49.9k1079135

add a comment | 

add a comment | 

mr D is a new contributor. Be nice, and check out our Code of Conduct.

 

draft saved

draft discarded

mr D is a new contributor. Be nice, and check out our Code of Conduct.

mr D is a new contributor. Be nice, and check out our Code of Conduct.

mr D is a new contributor. Be nice, and check out our Code of Conduct.

 

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f931430%2fhave-a-system-that-expires-ssh-keys-every-90th-day%23new-answer', 'question_page');

);

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Name Email

Name

Email

Name Email

Name

Email