March 30, 2021

Enforcing “one private key per machine”

From my research, best practice is to not rotate ssh keys and not to move private keys across systems, you’re supposed to ssh-keygen once and use it only on that machine.

If you need access from a different machine, you generate a new key pair.

My question is straightforward:

It it possible to enforce on the server these rules?

The way it would work is that the SSH client sends along with the public key also the “fingerprint” of the machine.

Something tangentially relevant to this happens in reverse already in an SSH setup: if the server has likely changed, then the client is warned of a fingerprint mismatch between previous connections and the about-to-be connection.

PS: with standard tools and without complicating matter too much.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: By filling this form and submitting your commen, you acknowledge, agree and comply with our terms of service. In addition you acknowledge that you are willingly sharing your email address with AiOWikis and you might receive notification emails from AiOWikis for comment notifications. AiOWiksi guarantees that your email address WILL NOT be used for advertisement or email marketting purposes.

This site uses Akismet to reduce spam. Learn how your comment data is processed.