We currently don't enforce SSH key rotation, since we have no way to 'police' it.
For our organization, ideally we'd have our developers roll their keys once a year at minimum. It would be really nice if we had an option globally to enforce SSH key rotation... What would be even better is if you had that, plus we could add override settings with a user group.
Fictional use case example: We have a client with a lot of PII stored on their server. Per legal regulations our keys need to be rotated once every 90 days. Only a subset of our developers have access to this particular server (managed via a User Group, which grants access to that device), so I don't think it's fair to force all of our developers to roll keys every 90 days. SO... If developer is in that user group, then force rotation every 90 days.
Here... I even mocked it up for you 😉
Is there a way to +1 a feature request? We're rolling out a new compliance framework that requires this too... Only way I can think to do this is to delete the Devs' public key from their portal and tell them to generate a new one, or run a new one for them. But that sounds super un-scalable...
@BenGarrison have you heard of anyone using a 3rd party KMS with JumpCloud, or have any ideas how something like that could work?
Dropping this in here in case anyone else finds it useful. This was the guideance shard with us by our compliance team re: how to meet this standard.
I think we're going to try out a solution where we have a network requirement on top of ssh keys for user access, with the network access tied to a JumpCloud user group, and see if we can pass with that...