fsebugoutzone.org:9999

       Post 9s2CLfOChdiyW6j2Om by RefurioAnachro@mastodon.cloud
 (DIR) More posts by RefurioAnachro@mastodon.cloud
 (DIR) Post #9s23OrNTgiSCylpkcy by codesections@fosstodon.org
       2020-02-14T15:13:11Z
       
       0 likes, 0 repeats
       
       Is there any point to rotating SSH keys but keeping the same passphrase on the new key that the user had on the old one?  It *seems* like security theater, but I&#39;m not sure I&#39;m thinking about all threat models.(And I certainly see a lot of recommendations about rotating keys that don&#39;t mention changing the passphrase at the same time.  Including in @mwlucas&#39;s excellent SSH Mastery – which I just read and which inspired me to up my SSH security.)
       
 (DIR) Post #9s23fJU8x7qsmonTd2 by Shitlord@dobbs.town
       2020-02-14T15:16:12Z
       
       0 likes, 0 repeats
       
       @codesections @mwlucas it changes the hash calculation, so it is better than nothing as long as strong password rules are enforced and the user isn&#39;t using the same password for all their logins on other platforms with weaker security measures. It doesn&#39;t stop someone from bruteforcing, of course.
       
 (DIR) Post #9s245OZieQ6a6MqGJc by codesections@fosstodon.org
       2020-02-14T15:21:00Z
       
       0 likes, 0 repeats
       
       @Shitlord &gt; [SSH key rotation] changes the hash calculationIs the threat model there someone who *doesn&#39;t* have access to the SSH private key and is attempting to access the resource secured by the SSH public key?If so, I *guess* I see a minor benefit – it protects against a *very* long-shot attack, but I suppose that sort of attack is conceivable if a flaw in the hashing algorithm is discovered.If that&#39;s not what you had in mind, I guess I didn&#39;t follow :D
       
 (DIR) Post #9s24DEwCMmrKWp64pM by Shitlord@dobbs.town
       2020-02-14T15:22:17Z
       
       0 likes, 0 repeats
       
       @codesections that hash is generally the most exposed in any sort of sniffing situation. That&#39;s all I can think of.
       
 (DIR) Post #9s25UWS2bXjlisnPKi by RefurioAnachro@mastodon.cloud
       2020-02-14T15:36:35Z
       
       0 likes, 0 repeats
       
       What about keys without passphrase. If one of these get stolen, you&#39;d still want to change it, right?@codesections @mwlucas
       
 (DIR) Post #9s25r49G05NYbSl996 by zladuric@mastodon.technology
       2020-02-14T15:40:44Z
       
       0 likes, 0 repeats
       
       @codesections I was gonna say &quot;I&#39;m not paid for that&quot;, but that&#39;s probably something like drunken driving. I&#39;ma gonna rotate my keys and re-check my firewalls where I have them.
       
 (DIR) Post #9s25uJkQSTXbqwhAUC by codesections@fosstodon.org
       2020-02-14T15:41:24Z
       
       0 likes, 0 repeats
       
       @RefurioAnachro &gt; What about keys without passphrase. If one of these get stolen, you&#39;d still want to change it, right?Yeah, certainly.  And I&#39;m not *so* trusting of the passphrase that I&#39;d hold off on rotating a key if I had reason to *think* a key had been stolen.  What I&#39;m asking about is routine key rotation without any reason to suspect anything.There, regularly rotating keys that can&#39;t use passphrases makes perfect sense.  But I&#39;m not as sure about keys with passphrases
       
 (DIR) Post #9s2CLfOChdiyW6j2Om by RefurioAnachro@mastodon.cloud
       2020-02-14T16:53:32Z
       
       0 likes, 0 repeats
       
       Passphrases are just weird, because when someone can steal your key, he is likely able to capture your passphrase as well. Unless, of course, if you make backups. Then a password seems reasonable.Bah, it&#39;s all a game of odds. Trade the inconvenience for a tad more security? Or buy some hardware 2nd fa right away? And where&#39;s the usb armory I ordered to get kickstarted...@codesections
       
 (DIR) Post #9s40wVTTidGBLZudzE by penguin42@mastodon.org.uk
       2020-02-15T13:55:21Z
       
       0 likes, 0 repeats
       
       @codesections @mwlucas yeh it&#39;s worth it, there&#39;s operations to capture ssh priv keys so that sometine in the future they can decrypt streams that are captured.
       
 (DIR) Post #9s4AYiut5a8nd21zEm by codesections@fosstodon.org
       2020-02-15T15:43:05Z
       
       0 likes, 0 repeats
       
       @penguin42 &gt;&gt; Is there any point to rotating SSH keys but keeping the same passphrase on the new key that the user had on the old one?&gt;  yeah it&#39;s worth it, there&#39;s operations to capture ssh priv keys so that sometime in the future they can decrypt streams that are captured.That is a really good point and one I hadn&#39;t thought of in this context—thanks!(I&#39;d heard about those operations, but I&#39;d only thought of it it terms of forward secrecy for email; I hadn&#39;t made the connection to SSH)
       
 (DIR) Post #9sMpFyNc6rggBDVSu8 by codesections@fosstodon.org
       2020-02-24T15:43:55Z
       
       0 likes, 0 repeats
       
       @penguin42 &gt;&gt; Is there any point to rotating SSH keys but keeping the same passphrase on the new key that the user had on the old one?&gt; yeah it&#39;s worth it, there&#39;s operations to capture ssh priv keys so that sometime in the future they can decrypt streams that are captured.I initially thought this was a good point but, on second thought: doesn&#39;t SSH&#39;s use of session keys already provide perfect forward secrecy, even if the private key is later compromised?