Comment on What is the best trategie to refresh ssh keys?
AbidanYre@lemmy.world 2 days agoLike the other commenter said, they’re expiring regularly. Host keys expire ~monthly and there’s a cronjob to reach out to the certificate authority server to renew them. User certs expire ~daily and the first time I ssh on any given day I have to authenticate. Recently tied it to PocketID for SSO.
Anekdoteles@feddit.org 2 days ago
Sooo, CA unreachable means connection dead, which is a manageable risk. But giving a third party the authority over my SSH access sounds like a great way to make it convenient for state actors to invade my privacy.
mik@sh.itjust.works 19 hours ago
CA unreachable means no renewals, but identity verification (login) is offline. As long as certs renewed fine, connection to the CA is not needed.
AbidanYre@lemmy.world 2 days ago
I mean, the CA is also self hosted so I’m not sure what you think the extra attack vector is here.