On Thursday, 28 November 2019 22:15:52 GMT Ian Zimmerman wrote: > For my ssh keys that require passphrases, I use ssh-agent to cache the > decrypted key so I don't have to type the passphrase every time. Until > yesterday there was only one such key; last night I added a new one > [1]. And, being the lazy thinker I am, I used the same passphrase as > for the old one.
There is nothing inherently wrong with this, unless your single passphrase is compromised by a malicious entity. Conceivably they will then be able to decrypt both of your private SSH keys. > Now, I find that when I run ssh-add to tell ssh-agent about my keys, > _both_ are added to the session after asking me the passphrase only > once! This can only be secure and correct if the agent somehow compares > the passphrases and knows they are the same; even then, it is _very_ > surprising. Have you seen this and how do you explain it? I don't use ssh-agent to know its quirks, but from what I understand it will continue to use the last passphrase you keyed in the terminal when you run it. If your 2nd, 3rd, ..., nth private keys had different passphrases the ssh- agent would prompt for a different passphrase to decrypt the next key and then use that passphrase thereafter. > [1] > It was necessary to create a new rsa type key because of a stupid server > which doesn't understand ecdsa keys. Which is fine. Just set up in your client machine ~/.ssh/config with the appropriate (rsa) key to use on the 'stupid' server and when you try to connect to it your ssh client will not use other keys on this connection. -- Regards, Mick
signature.asc
Description: This is a digitally signed message part.
