Re: Multiple private keys



Richard E. Silverman wrote:
"efair" == efair <ed_fair@xxxxxxxxx> writes:

efair> Hi, I've been using ssh to access a remote server (server A)
efair> from my workstation. The admin of server A do not provide me a
efair> password, he prefers to use "shared secrets" for access control

Btw, this terminology is wrong -- this is not a shared-secret technique,
but rather public key (the whole point is that there *is* no shared secret
here).

efair> -- he creates a userid for me, generates a key pair, puts the
efair> public key in ~/.ssh/ authorized_keys, provides me the userid
efair> and the private key; I copy the private key into id.rsa on my
efair> workstation, and I then ssh into server A. No password prompt
efair> appears.

... and little security appears, either. First, you should generate the
key yourself and send him the public part; there is no need for him to
ever see your private key. Second, if this is for interactive use
consider using ssh-agent instead:

Well, it's not such an uncommon technique. There are some advantages: the administrator can always re-publish the key to the same user, and assure that the key has a passphrase, or is the correct RSA or DSA or whatever format they demand, and the admin can use the same key for testing things on their end.

But yeah, I agree that it's not ideal. The only big advantage is that you can make *sure*, if you're the admin publishing the key, that it has a passphrase at least to start.
.