LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 07-14-2011, 11:08 AM   #1
Cultist
Member
 
Registered: Feb 2010
Location: Chicago, IL
Distribution: Slackware64 14.1
Posts: 777

Rep: Reputation: 102Reputation: 102
pgp/openSSH/etc, should I use a single public/private key pair or different ones?


Something I've been wondering about. I have a few different things that use keys. Off the top of my head, I can think of my phone's SSH client, email client, and PGP client, and two computers' email clients, IM client, and IIRC VPN client.

Would it be better to use a single secret/public pair and export it to each thing that requires, or to generate a separate pair for each application? Is there any particular advantage to using separate ones instead of a single pair?
 
Old 07-14-2011, 02:50 PM   #2
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
One big disadvantage that I can think of reuse is that if one becomes compromised or gets revoked, you have lost all of them. If you use a password, which gets recursed into the key, and someone gets the password, they would then also have access to all of these services.

Aside from that, I suspect that there are some differences in the key style and format for the different applications, but I am not as knowledgeable about this as I would like to be.
 
Old 07-14-2011, 03:07 PM   #3
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, Lubuntu, FreeBSD
Posts: 3,930
Blog Entries: 5

Rep: Reputation: Disabled
Quote:
Originally Posted by Cultist
Is there any particular advantage to using separate ones instead of a single pair?
Of course - using separate keypairs means you aren't betting the entire farm on your ability to protect all devices that share the private key. Phones are easily lost or stolen, for instance.

An exception to this may be your PGP mail encryption. If you intend to use the same email identity (read: same keypair) on multiple workstations, you'll need to have it available on each of those.
 
Old 07-15-2011, 06:29 AM   #4
Reuti
Senior Member
 
Registered: Dec 2004
Location: Marburg, Germany
Distribution: openSUSE 13.1
Posts: 1,320

Rep: Reputation: 252Reputation: 252Reputation: 252
Quote:
Originally Posted by anomie View Post
Of course - using separate keypairs means you aren't betting the entire farm on your ability to protect all devices that share the private key. Phones are easily lost or stolen, for instance.

An exception to this may be your PGP mail encryption. If you intend to use the same email identity (read: same keypair) on multiple workstations, you'll need to have it available on each of those.
I agree with that: one keypair per device and the private key should never leave the device. You just have a couple of entries in your ~/.ssh/authorized_keys but can also easily remove one if a device got stolen. And use a passphrase for the ssh-key maybe with an ssh-agent to make usage more handy.

I would really like if I could see in the public part of the keypair, whether an user used a passphrase or not. As an admin you don't know whether the user removed the passphrase, although you created the keypair with a passphrase during setup with them.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
import openssh key pair HavocStyles Programming 0 01-14-2010 01:58 PM
Public key, private key explained calande Linux - Security 3 06-12-2008 06:23 AM
private key conversion (putty to openssh) lostinvietnam Linux - Security 1 10-11-2006 09:01 AM
RSA public key encryption/private key decription koningshoed Linux - Security 1 08-08-2002 08:25 AM
PGP public key? mikeshn General 3 05-02-2002 12:12 AM


All times are GMT -5. The time now is 09:14 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration