The following table gives a simple rank about security (larger number means more secure): Security Ways to goĢ Multi SSH key-pairs (WITH passwd) (SAME passwd)ģ Multi SSH key-pairs (WITH passwd) (DIFF passwds) And let's assume all key-pairs and the config file are stored in ~/.ssh/. When we create a SSH key pair, we are asked for providing a passphrase to add a more layer to protect the private-key, as following: $ ssh-keygen -t rsa -b 4096 -C 'With_OR_Without_Passwd'Įnter file in which to save the key (/Your/HomeDir/.ssh/id_rsa):Įnter passphrase (empty for no passphrase):Īlthough there is an explicit prompt asking for passphrase, but some (or many) people still focus more on the information in brackets: (empty for no passphrase), and following that suggestion.Ĭombining whether or not using multiple SSH key pairs and whether or not enter additional passwd, we have at least four ways to go. I think this question can be considered from two different angles: security and convenience. The constraints and caveats around safely using agent forwarding is outside the scope of this question though. : There's one important way in which authorizing the same SSH key in different security contexts could be a problem, and that issue has to do with agent forwarding. The added security there is pretty significant. The one piece of advice I can give categorically is this: keep your private key encrypted. The more additional security you add, the more convenience you give up. So that's worth considering as well.Īs for universally-applicable guidelines on how to run your security: there are none. If that key gets compromised, more targets are put at risk.Īlso, the more places the private key is stored (say, your work computer, your laptop, and your backup storage, for example), the more places there are for an attacker to go to grab a copy. Typically that's not an issue, but it's worth pointing out.Īlso, the more places a single key is authorized, the more valuable that key becomes. Though having the same key authorized for multiple machines does prove that the same key-holder has access to both machines from a forensic perspective. The level of granularity is up to you.Īs far as security is concerned, you don't compromise your key in any way by using it to log in on a machine (as you would by using a password), so having separate keys for separate destinations doesn't make you any more safe from an authentication/security perspective. If, to you, an "identity" is a single person, or a single person on a single machine, or perhaps a single instance of an application running on a single machine. At this point, you have created a public/private key pair.Ĭopy the public key and append the key to the $HOME/.ssh/authorized_keys file in your home directory on the remote host.A private key corresponds to a single "identity" for a given user, whatever that means to you. In the example, the path is /home/johndoe/.ssh/id_rsa.pub. Check that the path to the key is correct. The key fingerprint (a colon-separated series of 2 digit hexadecimal values) is displayed. Your identification has been saved in /home/johndoe/.ssh/id_rsa. ![]() Note that the passphrase is not displayed when you type it in.Įnter passphrase(empty for no passphrase): ![]() A null entry means no passphrase is used, but this entry is strongly discouragedįor user accounts. ![]() A good passphrase is 10–30 characters long, mixes alphabetic and numeric characters, and avoids simple English prose and English names. This passphrase is used for encrypting your private key. The public key name is created automatically and the string. Or, you can type an alternative filename.Įnter file in which to save the key(/home/johndoe/.ssh/id_rsa): You can select this file by pressing Return. For information on additional options, see ssh-keygen(1).Įnter file in which to save the key(/home/johndoe/.ssh/id_rsa):Įnter the path to the file that will hold the key.īy default, the file name id_rsa, which represents an RSA v2 key, appears in parentheses. The standard procedure for creating a Secure Shell public/private key pair follows.
0 Comments
Leave a Reply. |