Like the other commenter said, they’re expiring regularly. Host keys expire ~monthly and there’s a cronjob to reach out to the certificate authority server to renew them. User certs expire ~daily and the first time I ssh on any given day I have to authenticate. Recently tied it to PocketID for SSO.
Comment on What is the best trategie to refresh ssh keys?
cmnybo@discuss.tchncs.de 3 days agoSo what happens when the certificate expires? Do you get locked out if you don’t have physical access?
AbidanYre@lemmy.world 2 days ago
Anekdoteles@feddit.org 2 days ago
Sooo, CA unreachable means connection dead, which is a manageable risk. But giving a third party the authority over my SSH access sounds like a great way to make it convenient for state actors to invade my privacy.
mik@sh.itjust.works 20 hours ago
CA unreachable means no renewals, but identity verification (login) is offline. As long as certs renewed fine, connection to the CA is not needed.
AbidanYre@lemmy.world 2 days ago
I mean, the CA is also self hosted so I’m not sure what you think the extra attack vector is here.
non_burglar@lemmy.world 3 days ago
Re-gen the keys. In this environment, you would have PKI setup and automation to handle cert renewal.
Having the certs expire is an advantage, security-wise. Auth will expire with certs, stolen creds can be instantly invalidated.