10

I've using my ssh-keys for a while. I'm thinking about to upgrade my ssh key pair to a stronger encryption and i dont know all devices where my keys are registered.

Is it posible to "deprecate" a SSH Key locally so, that I receive a warning if I authenticate with a deprecate SSH Key?

Giacomo1968
  • 3,542
  • 27
  • 38
tim0_o
  • 133
  • 6
  • While you are at it, I would suggest that you stop using the same SSH key for multiple hosts; it needlessly increases the attack surface as well as the value of that key in the event of a breach. Instead, use one key for each host you connect to; ideally, use one key for each client and server *pair* (but this scales poorly if you have many client systems connecting to many servers). I also like to tag the keys with the generation date in the comment or key name, allowing me to keep track of how old they are. Then set up a recurring reminder every 6-24 months or so in your calendar to renew. – user Oct 09 '15 at 20:08
  • @MichaelKjörling I disagree with the first part of your suggestion. Generating lots of key pairs where all the private keys are stored on the same machine with the same permissions is not providing any significant security improvements. If one is compromised then most likely the rest of them are compromised as well. And in that case having many key pairs just means there will be more work to do with rotating them once you do see a reason to generate a new key pair. The part about adding a generation date to the comment is good advice (I wish `ssh-keygen` would do that by default). – kasperd Oct 30 '15 at 23:10
  • @kasperd You make a good point. I suppose as always, it very much depends on your threat model. I suspect I implicitly assumed that the keys would have different passphrases, which I can see how with a large number of keys might not always be practical, unless you're willing to add a password manager to the mix. It *does* however allow something very close to what the OP is describing, since a key can be "deprecated" very easily without affecting other connections. I suspect in the end, it's a bit of a matter of personal taste. – user Oct 31 '15 at 12:36

2 Answers2

9

I don't know of any way to do something like this, but I can see how it would be useful. What I'd be inclined to do is to stop adding the deprecated key to my SSH agent. That way, every time it gets used, I'll have to re-enter the passphrase. If it's something like, "ugh, another one to fix", then it'll remind me each time that I've got to go rotate my key on that machine, too.

womble
  • 96,255
  • 29
  • 175
  • 230
  • in this regard it might be useful (depending on distro/DE) to move the file to another directory, *seahorse* for instance uses all keys in `~/. ssh` automatically. – guntbert Oct 09 '15 at 13:48
  • 1
    Anything which does that needs to be burnt down. It means that the moment you have more than six keys (I've got a couple of dozen) you'll end up failing auth due to too many failures (every key that's presented and rejected counts towards the fail count). – womble Oct 11 '15 at 23:21
5

You can move the old ssh key to a non-default location (i.e., ~/.ssh/deprecated_id_rsa) and then create a new ssh key with your desired properties at ~/.ssh/id_rsa

That way you still have your deprecated key available if needed ssh -i ~/.ssh/deprecated_id_rsa ..., but you will default to using your new key.

toe
  • 51
  • 2