Skip to content
No description, website, or topics provided.
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.


SSH-KeyRot is a program that will rotate ssh authentication keys on local and remote systems. The purpose is to defeat the effectiveness of stolen keys.

We recommend that you rotate your ssh keys daily, preferably automated with cron. We also recommend that you have one keypair per each user at each host, identified as ~/.ssh/id_rsa-user@host

If this is your first time running ssh-keyrot, you may be prompted for the remote user's password 5 times. An alternative is to use the --pwfile option with a file that contains a list of possible passwords. Once initialized, you may rotate the key non-interactively as often as you like. Before you begin, please read the help screen by executing 'ssh-keyrot --help'

How the key rotation works:

  1. Check for authorized_keys lockfile on remote server. If a lockfile exists, ssh-keyrot will try again a few times at 20-40 second wait intervals. Ssh-keyrot will send an email and exit if the lockfile remains.
  2. Ssh-keyrot will create a lockfile on the remote server, containing information such as the originating user, host, and pid.
  3. Generate new keys
  4. Pull authorized_keys from remote host
  5. Put new key in the remote's authorized_keys file
  6. Push the new authorized_keys file to the remote server
  7. Re-pull the authorized_keys from the remote server. If this fails, ssh-keyrot will send an email and exit, leaving the current local keys untouched.
  8. Remove any keys from the remote's authorized_keys that matches the originating user & host, ignoring the current keyrot timestamp tag. This is identified by the identity field of the public key
  9. Replace the current keys on the originating server. Backups will be made with a '.old' extension.

How to use ssh-keyrot Anything starting with * is required.

If you are running this for the very first time, they you will have to type the password several times.
  --bits=bits                     Number of bits in the key to create.
* --localkey=filename             FULL PATH to the ssh private key file.
  --type={dsa|rsa|ecdsa|ed25519}  Specify type of key to create.  Options are rsa, dsa, ecdsa, ed25519.
  --comment="comment"             Provide comment that will be appended to the public key.
* --remoteuser=username           Log in using this user name.
  --sshconfig=filename            Config file (default: ~/.ssh/config).
  --port=port                     Connect to non-standard port.  Server must be on the same port.
  --option="option"               Process the option as if it was read from a configuration file.
* --mail="email"                  Email all errors to specified recepient.
* --targetfile="remote file"      FULL PATHNAME to the authorized keys file on the target system.
  --pwfile="password file"        Contains list of possible passwords to attempt if keys are not setup yet.
  --debug                         debug
  --keyoptions="options"          Options for the authorized key file.
* --host=host                     Host. 
  --with-ssh=                     Specify the fullpath of ssh executable.  Default is /usr/bin/ssh
  --with-scp=                     Specify the fullpath of scp executable.  Default is /usr/bin/scp
  --with-ssh-keygen=              Specify the fullpath of ssh-keygen executable.  Default is /usr/bin/ssh-keygen
  --help                          Show ssh-keyrot usage and exit

example: ssh-keyrot --type=rsa --remoteuser=apache  --mail='' --targetfile=/home/apache/.ssh/authorized_keys --host=webserver01 --localkey=/home/user/.ssh/id_rsa-apache_webserver01
You can’t perform that action at this time.