Expiration / enforce change of passphrase for private ssh keys

Simple answer, no. SSH keys are simple cryptographic keys, if you want to add a validity period to it, you end up in PKI territory.

There is an answer on the Ubuntu Stack Exchange site, asking how to make SSH keys expire automatically, but this is to do with using the ssh-agent tool.

Alternatively, you can use a third party app installed on your server to automatically expire SSH keys based on custom settings. One nice example of this is the SSHARK tool, which uses custom DNS records to record key validity, and using the command= feature in the authorized_keys file.

Keep in mind that there is no way to tell from the public key alone whether the private key even has a passphrase associated with it, and no way to know what the passphrase is or when it was last changed even with access to the private key (although a good guess may be that if the private key has been rewritten per its last modified timestamp since it was first generated, it was to change the passphrase on the key).

An approach which does not require access to the private keys might go something like this:

• require by policy the use of an external tool to distribute public keys,
• record in that tool when a public key was submitted, and
• actively remove the public key from all systems on the expiration date or when explicitly revoked.

The centralized public key repository must retain expired keys for as long as is required to prevent reuse, ideally forever but we all know how that works.

Something that looks sort of like what you want is using an SSH user CA, which allows you to set a lifetime on the signed key. Whatever automation you put around key signing can refuse to sign for more than 90 days. Then, add the public key for your user CA to TrustedUserCAKeys in /etc/ssh/sshd_config and set AuthorizedKeysFile to none.

The Validity interval you mention is part of the SSH CA system, and AFAIK only applicable in an SSH CA.