tags:

views:

48

answers:

1
Q: 

When using Git or SSH copy / remote login, etc, should we re-use the same SSH keys or create new ones every time?

With the increasing use of Git or SSH copying or login, we can use just 1 pair of public and private key, or we probably can create different pairs on different machines, such as 1 for the notebook and 1 for the desktop, and 1 for the Virtual Machine.

Should we use 1 pair or should we use multiple pairs?

If we use just 1 pair, then we need to copy the 2 files (public and private) over to other machines, and we need to make sure we don't do it by FTP, or else that info may leak out to the public?

Even if we use SFTP, we need to set up the server on the machines where we want to transfer from/to... or is there a better method?

In general, do most programs and system allow the users to have multiple SSH keys? For example, when we use a GitHub account, or Heroku, do the systems have a convention that they allow a user to use multiple SSH keys to identify the same person?

I think if we use multiple keys, there might be a slight issue that if we create such keys on Ubuntu 10.04, and then install Ubuntu 10.10 later and create new keys, then very soon, we may have keys that we don't know where they are from, such as a pair that was from Ubuntu 8.04 and we didn't know about it.

A: 

The rules for SSH keys are simple:

  • Generate a new public/private key pair for every machine you intend to authenticate.
  • Never copy a private key on to another machine, neither by network nor removable media nor any other method you can think of.
  • Never share a password or passphrase with anyone, and never write them down.
  • If you suspect a key has been compromised, generate a new one. The only cost is updating services that have the public key.
Ether  2010-10-11 01:36:57
thanks. for your first 2 rules, is it by personal experience or is it from some source of the SSH organization? So is it true that if your machine is accessible even for 1 minute to somebody, he or she can email or wget and attach your private key in the URL to some website and then it will be as if your password is made known to somebody?
動靜能量  2010-10-11 05:34:15
@Jian: the first two are general rules that are often cited; a private key is intended to authenticate a particular user on a particular machine, so 1. it doesn't really make sense to transfer it elsewhere, and 2. yes, you can never be sure if your private key is compromised if you put it somewhere where it can be copied.
Ether  2010-10-11 16:06:52

related questions

How to have two remote orgins for Git?
Why is branching and merging easier in Mercurial than in Subversion?
Is there a better way of writing a git pre-commit hook to check any php file in a commit for parse errors ?
Bug tracker setup with Git integration?
Does git have anything like `svn propset svn:keywords` or pre-/post-commit hooks?
git-stash vs. git-branch
Git "bad sha1 file" error
Should I use GitHub+Fogbugz or Assembla?
How do you remove a specific revision in the git history?
How do you organise multiple git repositories?
What is the Difference Between Mercurial and Git?
How do I restore files to previous states in git?
Is there anything like TortoiseCVS and TortoiseSVN for git?
Good Git repository viewer for Mac
Deploying a Git subdirectory in Capistrano
How to "unversion" a file in either svn and/or git
How can I graph the Lines of Code history for git repo?
Switch branch names in git
Migrating to GIT
How can I set up an editor to work with Git on Windows?
How do you deal with configuration files in source control?
Undoing a git reset --hard HEAD~1
Version Control. Getting started...
Why is Git better than Subversion?
Distributed source control options