Hi, group!
This question has been addressed to me by a client and I couldn't find
a solution on the web yet:

As Sarbanes Oxley requires policies like password to be enforced, how
is this handled in ssh/openssh?
Is there an option to apply aging to a key passprase.
Would it make sense?

Sorry to be so unspecific!
Regards, Markus

docmarkus@directbox.com schrieb:

> Hi, group!
> This question has been addressed to me by a client and I couldn't find
> a solution on the web yet:
>
> As Sarbanes Oxley requires policies like password to be enforced, how
sorry gang - meant to write "password aging" ...

> is this handled in ssh/openssh?
> Is there an option to apply aging to a key passprase.
> Would it make sense?
>
> Sorry to be so unspecific!
> Regards, Markus

docmarkus@directbox.com wrote:
> Hi, group!
> This question has been addressed to me by a client and I couldn't find
> a solution on the web yet:
>
> As Sarbanes Oxley requires policies like password to be enforced, how
> is this handled in ssh/openssh?
> Is there an option to apply aging to a key passprase.
> Would it make sense?
>
> Sorry to be so unspecific!
> Regards, Markus
>

IMHO key passphrase aging doesn't gain you anything. If someone gets a
copy of your private key, they have it encrypted with whatever
passphrase it was encrypted with at that time, and they then have all
the time in the world to try to crack it. Remember it's not the
passphrase that authenticates you to the server, it's the key that does
that. You could change your passphrase 100 times, but if they finally
crack that passphrase on that old copy of the key, it's as good as the
one you're using. If you are going to age anything it should probably be
the key pair.

Having said that I have to admit that I change my passphrase regularly
(but not the keypair). The only reason I change it though is to keep it
in sync with my network password which is required to change every 90 days.

I'd like to hear what the rest of this group has to say on the matter.

Chuck!
Thanks for the quick response!
Actually I was aware of that - I guess I'm rather looking for an answer
to fend off questions by people centered on their "all paswords have to
be subject to an aging process" approach - people focussed on processes
don't always like to take reason into account (not trying to kick off a
flame war here ...)
I guess the correct approach would be to require key pairs to be
recreated regularly - but that would just about do away with most of
the ease-of-use points I use to advocate ssh/openssh.
Regards, Markus



Chuck schrieb:

> docmarkus@directbox.com wrote:
> > Hi, group!
> > This question has been addressed to me by a client and I couldn't find
> > a solution on the web yet:
> >
> > As Sarbanes Oxley requires policies like password to be enforced, how
> > is this handled in ssh/openssh?
> > Is there an option to apply aging to a key passprase.
> > Would it make sense?
> >
> > Sorry to be so unspecific!
> > Regards, Markus
> >
>
> IMHO key passphrase aging doesn't gain you anything. If someone gets a
> copy of your private key, they have it encrypted with whatever
> passphrase it was encrypted with at that time, and they then have all
> the time in the world to try to crack it. Remember it's not the
> passphrase that authenticates you to the server, it's the key that does
> that. You could change your passphrase 100 times, but if they finally
> crack that passphrase on that old copy of the key, it's as good as the
> one you're using. If you are going to age anything it should probably be
> the key pair.
>
> Having said that I have to admit that I change my passphrase regularly
> (but not the keypair). The only reason I change it though is to keep it
> in sync with my network password which is required to change every 90 days.
>
> I'd like to hear what the rest of this group has to say on the matter.

Maybe I haven't had my coffee this morning BUT,
if you change the keys, then old documents encoded under KEY1 will not
be decodeable under the new KEY2. Your public key needs to remain FIXED.

Chuck wrote:
> docmarkus@directbox.com wrote:
>> Hi, group!
>> This question has been addressed to me by a client and I couldn't find
>> a solution on the web yet:
>>
>> As Sarbanes Oxley requires policies like password to be enforced, how
>> is this handled in ssh/openssh?
>> Is there an option to apply aging to a key passprase.
>> Would it make sense?
>>
>> Sorry to be so unspecific!
>> Regards, Markus
>>
>
> IMHO key passphrase aging doesn't gain you anything. If someone gets a
> copy of your private key, they have it encrypted with whatever
> passphrase it was encrypted with at that time, and they then have all
> the time in the world to try to crack it. Remember it's not the
> passphrase that authenticates you to the server, it's the key that does
> that. You could change your passphrase 100 times, but if they finally
> crack that passphrase on that old copy of the key, it's as good as the
> one you're using. If you are going to age anything it should probably be
> the key pair.
>
> Having said that I have to admit that I change my passphrase regularly
> (but not the keypair). The only reason I change it though is to keep it
> in sync with my network password which is required to change every 90 days.
>
> I'd like to hear what the rest of this group has to say on the matter.


--
try a random act of kindness today -- you just might surprise even
yourself

Jeff B wrote:
> Maybe I haven't had my coffee this morning BUT,
> if you change the keys, then old documents encoded under KEY1 will not
> be decodeable under the new KEY2. Your public key needs to remain FIXED.

Get your coffee. Ssh keys are used to authenticate users to a server.
PGP and GnuPG keys are used to encrypt documents. They are similar but
not the same.

Chuck wrote:
> Jeff B wrote:
>> Maybe I haven't had my coffee this morning BUT,
>> if you change the keys, then old documents encoded under KEY1 will not
>> be decodeable under the new KEY2. Your public key needs to remain FIXED.
>
> Get your coffee. Ssh keys are used to authenticate users to a server.
> PGP and GnuPG keys are used to encrypt documents. They are similar but
> not the same.

humiliating
but of course!

--
try a random act of kindness today -- you just might surprise even
yourself

Jeff B wrote:
> Chuck wrote:
>> Jeff B wrote:
>>> Maybe I haven't had my coffee this morning BUT,
>>> if you change the keys, then old documents encoded under KEY1 will not
>>> be decodeable under the new KEY2. Your public key needs to remain
>>> FIXED.
>>
>> Get your coffee. Ssh keys are used to authenticate users to a server.
>> PGP and GnuPG keys are used to encrypt documents. They are similar but
>> not the same.
>
> humiliating
> but of course!
>

Sorry. Didn't mean to humiliate. There's been plenty of times where I've
made similar mistakes.

I have heard rumors of a product that uses the same keys for both
purposes. It was probably on this NG, but I can't remember the name.