https://community.hpe.com/t5/operating-system-hp-ux/openssh-check-keys/m-p/3916024#M739489 The SSH key format does not contain any expiration times. <BR /><BR />The "lifetime" that can be set with ssh-add does not affect the key on the disk, just the non-persistent copy of the key in the ssh-agent's memory (at the host running the SSH client).<BR /><BR />Apparently the intention is to provide a sudo-like behavior: if you need to use your SSH key several times in a row, you need to enter your passphrase only once... but after not using the key for a while, you'll need to enter the passphrase again. (Interesting, and maybe very useful; I hadn't noticed this option before.)<BR /><BR />As far as I know, the SSH software has no way to implement an expire time on SSH keys, as the users can generate the keys for themselves with any parameters they wish. <BR /><BR />(Everyone should generate his/her own keys, instead of letting someone else do it: this way one can be sure nobody else has ever seen the private key.)<BR /><BR />The only way to force an expiration of keys on the server side would be to set up a scheduled job to examine the users' public keys (in authorized_keys files or the like) and store a copy/fingerprint/digest of them for future comparisions. On subsequent runs, if the user's key was first seen more than X days ago, do something to prevent the use of that key. You might also want to warn the user somehow when the user's key is almost X days old. Wed, 20 Dec 2006 15:08:22 GMT Matti_Kurkela 2006-12-20T15:08:22Z https://community.hpe.com/t5/operating-system-hp-ux/openssh-check-keys/m-p/3916022#M739487 How can I check/list the contents of the<BR />ssh key(s)? I did not setup ssh on the box(es)<BR />and do not know what has been done. <BR />There is a question if the key(s) have<BR />been setup with an expire time set.<BR />Currently our UNIX server connects to a<BR />windows server running OpenSSH. From what<BR />The windows server is setup with this <BR />sshd_config:<BR /><BR />Protocol 2<BR />PermitRootLogin yes<BR />StrictModes no<BR />RSAAuthentication no<BR />PubkeyAuthentication yes<BR />AuthorizedKeysFile .ssh/authorized_keys<BR />IgnoreUserKnownHosts yes<BR />PasswordAuthentication yes<BR />UsePrivilegeSeparation no<BR />MaxStartups 10:30:60<BR />Banner /etc/banner.txt<BR />Subsystem sftp /usr/sbin/sftp-server<BR /><BR /><BR /><BR />I assume that the commands would be the same <BR />on both platforms to check the keys. <BR />I cannot find what I am looking for in the man <BR />pages. Currently we can connect to the<BR />windows server as sshadmin@<IP> without the<BR />sshd on the windows server asking for a <BR />password.<BR /></IP> Wed, 20 Dec 2006 14:05:30 GMT https://community.hpe.com/t5/operating-system-hp-ux/openssh-check-keys/m-p/3916022#M739487 jerry1 2006-12-20T14:05:30Z https://community.hpe.com/t5/operating-system-hp-ux/openssh-check-keys/m-p/3916023#M739488 Jerry,<BR /><BR />$ cat ~/.ssh/authorized_keys<BR /><BR />I know a key can be made to expire via 'ssh-add -t <LIFETIME>'. However, I'm not sure how you would check the expiry after-the-fact.<BR /><BR />PCS</LIFETIME> Wed, 20 Dec 2006 14:35:25 GMT https://community.hpe.com/t5/operating-system-hp-ux/openssh-check-keys/m-p/3916023#M739488 spex 2006-12-20T14:35:25Z https://community.hpe.com/t5/operating-system-hp-ux/openssh-check-keys/m-p/3916024#M739489 The SSH key format does not contain any expiration times. <BR /><BR />The "lifetime" that can be set with ssh-add does not affect the key on the disk, just the non-persistent copy of the key in the ssh-agent's memory (at the host running the SSH client).<BR /><BR />Apparently the intention is to provide a sudo-like behavior: if you need to use your SSH key several times in a row, you need to enter your passphrase only once... but after not using the key for a while, you'll need to enter the passphrase again. (Interesting, and maybe very useful; I hadn't noticed this option before.)<BR /><BR />As far as I know, the SSH software has no way to implement an expire time on SSH keys, as the users can generate the keys for themselves with any parameters they wish. <BR /><BR />(Everyone should generate his/her own keys, instead of letting someone else do it: this way one can be sure nobody else has ever seen the private key.)<BR /><BR />The only way to force an expiration of keys on the server side would be to set up a scheduled job to examine the users' public keys (in authorized_keys files or the like) and store a copy/fingerprint/digest of them for future comparisions. On subsequent runs, if the user's key was first seen more than X days ago, do something to prevent the use of that key. You might also want to warn the user somehow when the user's key is almost X days old. Wed, 20 Dec 2006 15:08:22 GMT https://community.hpe.com/t5/operating-system-hp-ux/openssh-check-keys/m-p/3916024#M739489 Matti_Kurkela 2006-12-20T15:08:22Z https://community.hpe.com/t5/operating-system-hp-ux/openssh-check-keys/m-p/3916025#M739490 Hi,<BR /> I am not sure whether my reply with solve your problem.<BR /><BR />you can check the public keys you have generated using ssh-keyscan command.<BR /><BR />HTH,<BR />Prabu.S Wed, 20 Dec 2006 23:47:15 GMT https://community.hpe.com/t5/operating-system-hp-ux/openssh-check-keys/m-p/3916025#M739490 Senthil Prabu.S_1 2006-12-20T23:47:15Z