Expired GPG key for ssh authentication
Marko Bauhardt
marko.bauhardt at mailbox.org
Sun Jan 29 18:28:37 CET 2017
> On 29 Jan 2017, at 15:18, Andrew Gallagher <andrewg at andrewg.com> wrote:
>
>
> On 29 Jan 2017, at 10:39, Marko Bauhardt <marko.bauhardt at mailbox.org <mailto:marko.bauhardt at mailbox.org>> wrote:
>
>> Now one year later. My ssh subkey is expired. But i’m still able to login into my ssh-server.
>> My assumption was that i can use this subkey only if this key is valid. Is the expired key working because i’m using the ssh-agent instead of the gpg-agent?
>
> It is still working because the remote ssh server has no concept of key expiry. When you converted your auth subkey to ssh format you stripped all the expiry info from it. (There is the related problem of your client offering the expired key to the server, but this is relatively harmless).
>
> If you want your ssh key to stop working when the auth subkey expires, you need to make sure to run monkeysphere on a regular basis (cron) on the remote server, to refresh the authorized_keys and thereby overwrite any ssh keys associated with expired pgp keys. Ssh keys themselves do not expire.
>
> See: http://web.monkeysphere.info/doc/ssh-user-authentication/ <http://web.monkeysphere.info/doc/ssh-user-authentication/>
Thank you Andrew.
Make sense
Marko
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20170129/069ea1c3/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: </pipermail/attachments/20170129/069ea1c3/attachment.sig>
More information about the Gnupg-users
mailing list