DragonFly BSD
DragonFly users List (threaded) for 2005-04
[Date Prev][Date Next]  [Thread Prev][Thread Next]  [Date Index][Thread Index]

Re: dsa vers rsa ssh key


From: "Jason M. Leonard" <fuzz@xxxxxxxxxxxxx>
Date: Mon, 4 Apr 2005 01:56:21 -0400 (EDT)



On Mon, 4 Apr 2005 nega@xxxxxxxxxxxxxx wrote:

Jason M. Leonard writes:
[...]

> An ssh identity file (such as id_dsa) contains a single key.
>
> Why do you want to do this?  You're pretty sure you are you, right?  And
> you're pretty sure you should be allowed to access both sets of machines,
> right?  If what you want to accomplish is to allow other users to access
> your work machines, make additional entries for their public keys in the
> target host's authorized_keys file.
>

What if you don't control the key policy of the machines you want to
connect to? What if you typically use a key size of 1024 bits, but the
remote machine requires a key size of 2048 bits? What if you want
access to my machine, but I provide you with the key? What if you're
paranoid and want to have a different key (and hopefully different
passphrase) for each machine you want to connect to?

I was not referring to theoretical situations; my questions were directed at the original poster, who only just now discovered the difference between DSA and RSA. The simple solution is usually the right one, and it sounds to me like he is trying to make his life more complicated than it needs to be. The average user sees no security benefit from maintaining multiple sets of credentials, for them maintaining a list of strong passphrases for each machine they connect to is absurdly complex. My users (we use Kerberos tickets rather than ssh keys, but the same applies) connect to any of several dozen machines in the course of a day; they would revolt if I even suggested they maintain seperate credentials for each.


> If you really want to do it the way you describe, the easiest way is to
> use RSA keys for one (id_rsa) and DSA keys for the other (id_dsa)--ssh
> will do the right thing with no additional options.  To get fancier, see
> the -i option in the man page.
>

That's not necessary. You can have a gazillion different DSA keys, as
long as they all have different filenames.

It isn't necesary; it is, as I said, the easiest way. It requires no additional flags to ssh, nor any tweaking of any configuration files: drop the two keys in ~/.ssh and it Just Works.



:Fuzz




[Date Prev][Date Next]  [Thread Prev][Thread Next]  [Date Index][Thread Index]