Re: ssh passphrases and sarbanes oxley (SOX)

docmarkus@xxxxxxxxxxxxx wrote:
Hi, group!
This question has been addressed to me by a client and I couldn't find
a solution on the web yet:

As Sarbanes Oxley requires policies like password to be enforced, how
is this handled in ssh/openssh?
Is there an option to apply aging to a key passprase.
Would it make sense?

Sorry to be so unspecific!
Regards, Markus

IMHO key passphrase aging doesn't gain you anything. If someone gets a
copy of your private key, they have it encrypted with whatever
passphrase it was encrypted with at that time, and they then have all
the time in the world to try to crack it. Remember it's not the
passphrase that authenticates you to the server, it's the key that does
that. You could change your passphrase 100 times, but if they finally
crack that passphrase on that old copy of the key, it's as good as the
one you're using. If you are going to age anything it should probably be
the key pair.

Having said that I have to admit that I change my passphrase regularly
(but not the keypair). The only reason I change it though is to keep it
in sync with my network password which is required to change every 90 days.

I'd like to hear what the rest of this group has to say on the matter.

Relevant Pages