[PATCH] Caching passphrase in ssh-add.
David Woodhouse
dwmw2 at infradead.org
Tue Jan 9 09:55:33 EST 2001
On Mon, 8 Jan 2001, Markus Friedl wrote:
> On Sun, Jan 07, 2001 at 10:03:58PM +0000, David Woodhouse wrote:
> > 2. Remember the last successful passphrase and attempt to use it on
> > subsequent key files which are added.
>
> i don't like this feature. i don't want to encourage people
> to reuse the same passphrase for different keys.
That's reasonable, I suppose, but in this case these keys are used for
_identical_ purposes, and distributed as a pair, one RSA and one DSA, so
that it doesn't matter whether today particular combination of
client/server versions is using the V1 or V2 protocol. So I can revert to
protocol 1 when I want agent forwarding to work, etc. And when the
sysadmins of certain remote machines get round to upgrading, it'll
suddenly start using the DSA key instead of the RSA key for those boxes,
and I won't have to deal with it.
I suspect there are quite a few people now using pairs of RSA and DSA keys
in this manner. It's useful to be able to load them both at once without
having to repeat the passphrase, IMO.
We don't prohibit keys without passphrases. Surely it should be sufficent
to support it, but warn in the documentation that it's not advised for
maximal security?
> > Is the SSHv2 protocol fundamentally incapable of using RSA keys for
> > authentication, or is that (RSA on v2) a missing feature of OpenSSH?
>
> http://bass.directhit.com/openssh_snap supports RSA in V2 (but
> you need to generate a special RSA keys for v2).
Will those keys then be compatible with V1-only clients? Otherwise the
point is sort of lost :)
--
dwmw2
More information about the openssh-unix-dev
mailing list