Re: Continuous brute force attempt from own server !!!
On Sat 27 Jul 2013 at 14:06:29 -0300, Henrique de Moraes Holschuh wrote:
> On Sat, 27 Jul 2013, Brian wrote:
> >
> > Thank you, that was an interesting read. The focus of the draft is on
> > organisations which utilise SSH keys extensively, so in such a situation
> > I can understand a recommendation for key rotation because ignoring it
> > may have disastrous consequences. Users with small networks and with
> > well managed access to them would rarely have a need to change passwords
> > or keys at predetermined intervals.
>
> If you have that key sitting anywhere outside of a hardened smartcard, you
> should rotate it every so often, in case someone managed to snag a copy of
> it while you were not paying attention. It is NOT too much pain to rotate
> keys once an year, unless you're doing it wrong in the first place.
Something akin to that happening doesn't seem like 'well managed access'.
Most people are capable of looking after the keys to their place of
residence so it should not be too onerous to follow a decent practice for
keeping their ssh keys/passwords safe. It goes through my mind that
rotating keys on 1st January every year doesn't prevent lack of attention
leading to the key being leaked a few days later. But I expect sizable
organisations have a way of dealing with that.
> It is also good practice to never share the same key across hosts (or if
> that's impratical, across security domains), and to have specific keys for
> specific services. This practice can greatly reduce the damage caused by a
> compromised key.
We are in agreement there.
Reply to: