12

Out of curiosity, and also to check whether this is doable at all:

Is there any way using standard tools to assign an expiry date [only] to the passphrase of an ssh private key, or to enforce the expiry and change of the passphrase without changing the private key itself? (I'm not talking about scripts that check [a,c,m]time of the keypair or something like that ...)

Or is there any standard solution that achieves a similar result, that is enforcing/ensuring regular change of the passphrase for keybased authentication?

Please don't ask WHY I want to do that, but feel free to comment on the added security/inconvenience/insecurity this might provide.

The only thing loosely related seems to be the validity interval that can be specified when creating the keypair via ssh-keygen. Although if I've understood this correctly that would expire the signing certificate which was used to sign the keypair, hence effectively expiring the key itself.

doktor5000
  • 223
  • 1
  • 2
  • 6
  • 2
    Does a [HSM](http://en.wikipedia.org/wiki/Hardware_security_module) count as a standard tool? –  Sep 07 '14 at 20:20
  • If you use it for that purpose, sure. Would be good if you can elaborate on what it can do and what it can't within the scope of this question, and maybe a rough cost estimation. FWIW, does it require some specific operating system support or is it OS-agnostic? – doktor5000 Sep 08 '14 at 05:17
  • There [are apparently](http://security.stackexchange.com/a/24571/49075) HSMs that can run custom code. (So, essentially, they can do anything.) I have no clue what computers these can easily interact with. –  Sep 08 '14 at 05:53
  • Well, that basically means that I'd need to get an expensive new platform and to write my own solution. That doesn't count as standard tool in my book... And operating system support is unclear, also from your answer it doesn't seem like you use one of those things in practice, do you? This sounds more like "theoretically from reading the specs of that thing it might do something related ..." – doktor5000 Sep 08 '14 at 17:50
  • I'm not going to ask why you want to do that. You obviously want to do it because someone told you they need you to do it. So I'm going to ask you to ask them why they think it will accomplish anything even if it were possible to do this. – Monty Harder Sep 18 '18 at 21:49
  • @MontyHarder Because it was part of a strict security policy requirement. Sometimes there's not much use discussing about this, either you can implement something that satisfies that policy, or you need to request some kind of temporary or permanent exception. Although this question was more out of curiosity, if something similar would be possible. – doktor5000 Sep 19 '18 at 18:21

3 Answers3

13

Simple answer, no. SSH keys are simple cryptographic keys, if you want to add a validity period to it, you end up in PKI territory.

There is an answer on the Ubuntu Stack Exchange site, asking how to make SSH keys expire automatically, but this is to do with using the ssh-agent tool.

Alternatively, you can use a third party app installed on your server to automatically expire SSH keys based on custom settings. One nice example of this is the SSHARK tool, which uses custom DNS records to record key validity, and using the command= feature in the authorized_keys file.

Community
  • 1
StampyCode
  • 435
  • 4
  • 8
8

Keep in mind that there is no way to tell from the public key alone whether the private key even has a passphrase associated with it, and no way to know what the passphrase is or when it was last changed even with access to the private key (although a good guess may be that if the private key has been rewritten per its last modified timestamp since it was first generated, it was to change the passphrase on the key).

An approach which does not require access to the private keys might go something like this:

  • require by policy the use of an external tool to distribute public keys,
  • record in that tool when a public key was submitted, and
  • actively remove the public key from all systems on the expiration date or when explicitly revoked.

The centralized public key repository must retain expired keys for as long as is required to prevent reuse, ideally forever but we all know how that works.

Mike McManus
  • 1,415
  • 10
  • 17
6

Something that looks sort of like what you want is using an SSH user CA, which allows you to set a lifetime on the signed key. Whatever automation you put around key signing can refuse to sign for more than 90 days. Then, add the public key for your user CA to TrustedUserCAKeys in /etc/ssh/sshd_config and set AuthorizedKeysFile to none.

The Validity interval you mention is part of the SSH CA system, and AFAIK only applicable in an SSH CA.

Mark
  • 61
  • 1
  • 1
  • Good answer, but to the wrong question. The original question is asking about expiring the passphrase on a private key. Your answer addresses forcing expiration of the key itself. – Jonathan Sep 19 '18 at 15:53
  • 1
    I'm aware that it doesn't strictly answer the question, but since the question doesn't say WHY expiration is desired, I was suggesting it as something that may meet their needs. – Mark Sep 19 '18 at 16:13