User: Password:
Subscribe / Log in / New account

Key rollover support in ssh

Key rollover support in ssh

Posted May 15, 2008 7:30 UTC (Thu) by dion (guest, #2764)
Parent article: Debian vulnerability has widespread effects

Wouldn't it be trivial, yet highly useful to have a key-rollover feature in the ssh client?

The client could detect that it's using a defective key and generate a new one, while stashing
away the old, compromised key.
When the user tries to log in the ssh client could then try the new key first and fall back to
the old key.
When logged in the client could then remove the old key from authorized_keys and insert the
new key.

This would save a lot of manual work and what's more important: It would eventually get rid of
all the compromised keys, even on poorly maintained systems (where the server doesn't
blacklist) where the user is less than diligent about changing his keys.

(Log in to post comments)

Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds