How often should an SSH key pair be changed?
I've been using a 1024-bit RSA key for passwordless SSH between my own systems for years. More recently I've also started using it for passwordless access to my hosting providers and to source code repositories.
Is using the same key pair for an extended period of time, and to access multiple resources, an issue?
Do you protect your private key with a pass-phrase and use ssh-agent to provide 'passwordless' logins?
As long as you didn't create them 2006 to 2008 on a Debian based system... http://www.debian.org/security/2008/dsa-1571
some related question about the "access multiple resources": http://superuser.com/questions/18255/is-it-a-bad-idea-to-use-the-same-private-ssh-key-on-multiple-computers
Your keys are only as safe as the medium and method used to store them. Find the weakest link and set your re-generation policy accordingly.
SSH keys must be protected and secured, and have a tight control process and policy around them. They must be mapped and rotated/replaced proactively. SSH keys are easily copied and abused if not monitored and can be used by cyber criminals to infiltrate your host/network and steal whatever you have on there (intellectual property.etc) without anyone knowing.
Yes, strictly speaking it is recommended to expire SSH keys after a while (this could depend of the key length, vulnerabilities found in the key generator, etc.). However such mechanism was not foreseen by SSH. And it is cumbersome to go to every possible remote hosts and delete the public key.
There is a solution - though I never tried it yet, but keep it for when I will have some free time - MonkeySphere for OpenSSH project. It will allow to manage expiration of your keys as far as I understood it!