key rotation on ssh servers
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Wed May 15 13:47:38 EST 2013
hi OpenSSH folks--
I have several OpenSSH sshd servers that i've maintained for a long
time. Some of them have keys that are considered short by today's
standards (e.g. 1024-bit RSA keys).
On these servers, I would like to be able to do a key rotation such that
multiple keys are valid during a time window so that users can learn the
new key before i remove the old one. I don't think this is currently
supported, but i'm interested in figuring out how something like this
might happen in the future.
Reading the spec i don't see an explicit prohibition against multiple
keys of the same key type, but i don't see how it would be handled
exactly in the protocol either:
https://tools.ietf.org/html/rfc4253#page-18
Looking at sshd.c, it seems to me that get_hostkey_by_type() only
permits sshd to offer a single key of each type.
Would it be possible for some sshd to offer more than one key of any
given type? If so, this would permit such a key transition from clients
that could support it? Or is there something in the spec that i'm not
seeing which makes this explicitly impossible?
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 965 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20130514/710048df/attachment.bin>
More information about the openssh-unix-dev
mailing list