Inspiration from the podiverse, about SSH
I was listening to one of my favourite podcasts (we need another name for these), and the conversation of SSH and specifically SSH keys came up.
The thing about SSH keys
At least for now, most denizens of smolspace, most likely know what SSH and ssh keys are, if not it is similar to the identity certificates used in Gemini, but for pc/server access.
The 3 show hosts comment on their handling of SSH keys and due to the lack of any real guidelines on this subject, I can't say that I felt any of them were particularly wrong.
I however think I might have been doing it wrong out of laziness for a long time, mostly I would generate one private/public keypair and then save those in my password safe for indefinite use.
A better way?
Gemini certs and me getting back into development after quite a long absence, however made me think of doing things a bit differently and it was funny the episode should then be in my backlog.
The way I have been doing things starting up with Gemini, is that each of my devices have one singular identity, tied to one device, with one passphrase for each. The public key left on servers, then being the public version of that identity, with the associated identity as the comment. One of the show hosts, was also doing it much in the same way, to my amazement.
This makes revoking them easy as well, as it is as easy as replacing/removing any lost/offending keys and restarting the SSH service to boot everyone off and you are good.
The problems with the plausible better way
If we assume for a moment, that the device this key is generated on, keeps this key for it's lifetime or until there is a known compromised state, then this can potentially be a very VERY long time.
This means that updates to best practices can be years in the making (for my desktop, decades), but is that really a problem? Since my 15 year old desktop was put into service, the recommended rsa key size (from almost 20 years ago) has only really gone up from 1024 to 4096, with 1024 still being valid, for now.
So maybe we are good, as long as something in my desktop dies within the next few years? 😂
Created 2024-10-04 - Updated 2024-10-09
Source