Groups | Search | Server Info | Login | Register
Groups > comp.os.linux.security > #679
| From | Richard Kettlewell <rjk@greenend.org.uk> |
|---|---|
| Newsgroups | comp.os.linux.security |
| Subject | Re: Are ssh keys tied to a user or the originating machine? |
| Date | 2015-11-22 14:09 +0000 |
| Organization | terraraq NNTP server |
| Message-ID | <87io4uxh14.fsf@mantic.terraraq.uk> (permalink) |
| References | <95o6ic-7c8.ln1@myleafnode.oneyv.org> |
JimR <NotReally@yahoo.com> writes: > I'm trying to better understand ssh. > > User foo on machine bar generates a keypair, and provides the public > key to remote user dokes on machine shme . foo connects to dokes > account at shme, and everything is happy. > > Then user foo also has an account on machine baz. He takes the > private key he generated on machine bar, and copies it to machine baz. > Can he connect to dokes on shme? My limited testing suggests that it > works. Is that a universal truth? > > Next, foo passes his private key to unrelated user thud on machine > grunt. thud installs the private key owned by foo. Can thud now > connect to user dokes on machine shme? The keys are not ‘tied’ to anything. When you permit access to a public key (in .ssh/authorized_keys), any holder of the corresponding private key can authenticate. Copying private keys around is not a great strategy. Consider what happens when one of the accounts holding the private key is compromised. Your response to this situation is to remove the corresponding key from all .ssh/authorized_keys files; i.e. to revoke all access from that key to anything. If you have the same private key on multiple machines then the effect is to revoke access from all those machines, even if only one of them was compromised. I’d suggest that the only good reason to do this is if there is some difficulty with having multiple entries in (the equivalent of) .ssh/authorized_keys. In short although the keys are not physically connected to user or host, it’s probably best to treat them as if they were. > Next, replace the above ssh keys with PGP keys. Do the same answers > apply? The same is true of PGP. Any holder of a private key can create signatures or decrypt received messages (assuming it is a signature-capable or decryption-capable key, respectively). -- http://www.greenend.org.uk/rjk/
Back to comp.os.linux.security | Previous | Next — Previous in thread | Next in thread | Find similar
Are ssh keys tied to a user or the originating machine? JimR <NotReally@yahoo.com> - 2015-11-21 13:01 -0500
Re: Are ssh keys tied to a user or the originating machine? William Unruh <unruh@invalid.ca> - 2015-11-21 18:13 +0000
Re: Are ssh keys tied to a user or the originating machine? Richard Kettlewell <rjk@greenend.org.uk> - 2015-11-22 14:09 +0000
Re: Are ssh keys tied to a user or the originating machine? jc091966@gmail.com - 2018-06-03 19:25 -0700
Re: Are ssh keys tied to a user or the originating machine? William Unruh <unruh@invalid.ca> - 2018-06-04 08:40 +0000
Re: Are ssh keys tied to a user or the originating machine? "Carlos E.R." <robin_listas@es.invalid> - 2018-06-04 11:35 +0200
Re: Are ssh keys tied to a user or the originating machine? Aragorn <thorongil@telenet.be> - 2018-06-04 12:24 +0200
Re: Are ssh keys tied to a user or the originating machine? "Carlos E.R." <robin_listas@es.invalid> - 2018-06-04 13:15 +0200
csiph-web