| 1 |
On Thursday, 28 November 2019 22:15:52 GMT Ian Zimmerman wrote: |
| 2 |
> For my ssh keys that require passphrases, I use ssh-agent to cache the |
| 3 |
> decrypted key so I don't have to type the passphrase every time. Until |
| 4 |
> yesterday there was only one such key; last night I added a new one |
| 5 |
> [1]. And, being the lazy thinker I am, I used the same passphrase as |
| 6 |
> for the old one. |
| 7 |
|
| 8 |
There is nothing inherently wrong with this, unless your single passphrase is |
| 9 |
compromised by a malicious entity. Conceivably they will then be able to |
| 10 |
decrypt both of your private SSH keys. |
| 11 |
|
| 12 |
|
| 13 |
> Now, I find that when I run ssh-add to tell ssh-agent about my keys, |
| 14 |
> _both_ are added to the session after asking me the passphrase only |
| 15 |
> once! This can only be secure and correct if the agent somehow compares |
| 16 |
> the passphrases and knows they are the same; even then, it is _very_ |
| 17 |
> surprising. Have you seen this and how do you explain it? |
| 18 |
|
| 19 |
I don't use ssh-agent to know its quirks, but from what I understand it will |
| 20 |
continue to use the last passphrase you keyed in the terminal when you run it. |
| 21 |
If your 2nd, 3rd, ..., nth private keys had different passphrases the ssh- |
| 22 |
agent would prompt for a different passphrase to decrypt the next key and then |
| 23 |
use that passphrase thereafter. |
| 24 |
|
| 25 |
> [1] |
| 26 |
> It was necessary to create a new rsa type key because of a stupid server |
| 27 |
> which doesn't understand ecdsa keys. |
| 28 |
|
| 29 |
Which is fine. Just set up in your client machine ~/.ssh/config with the |
| 30 |
appropriate (rsa) key to use on the 'stupid' server and when you try to |
| 31 |
connect to it your ssh client will not use other keys on this connection. |
| 32 |
-- |
| 33 |
Regards, |
| 34 |
|
| 35 |
Mick |
Archives