1 |
On Thursday, 28 November 2019 22:15:52 GMT Ian Zimmerman wrote: |
2 |
> For my ssh keys that require passphrases, I use ssh-agent to cache the |
3 |
> decrypted key so I don't have to type the passphrase every time. Until |
4 |
> yesterday there was only one such key; last night I added a new one |
5 |
> [1]. And, being the lazy thinker I am, I used the same passphrase as |
6 |
> for the old one. |
7 |
|
8 |
There is nothing inherently wrong with this, unless your single passphrase is |
9 |
compromised by a malicious entity. Conceivably they will then be able to |
10 |
decrypt both of your private SSH keys. |
11 |
|
12 |
|
13 |
> Now, I find that when I run ssh-add to tell ssh-agent about my keys, |
14 |
> _both_ are added to the session after asking me the passphrase only |
15 |
> once! This can only be secure and correct if the agent somehow compares |
16 |
> the passphrases and knows they are the same; even then, it is _very_ |
17 |
> surprising. Have you seen this and how do you explain it? |
18 |
|
19 |
I don't use ssh-agent to know its quirks, but from what I understand it will |
20 |
continue to use the last passphrase you keyed in the terminal when you run it. |
21 |
If your 2nd, 3rd, ..., nth private keys had different passphrases the ssh- |
22 |
agent would prompt for a different passphrase to decrypt the next key and then |
23 |
use that passphrase thereafter. |
24 |
|
25 |
> [1] |
26 |
> It was necessary to create a new rsa type key because of a stupid server |
27 |
> which doesn't understand ecdsa keys. |
28 |
|
29 |
Which is fine. Just set up in your client machine ~/.ssh/config with the |
30 |
appropriate (rsa) key to use on the 'stupid' server and when you try to |
31 |
connect to it your ssh client will not use other keys on this connection. |
32 |
-- |
33 |
Regards, |
34 |
|
35 |
Mick |