Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 21135 - ssh-add with no args doesn't attempt to use same passphrase for both RSA and DSA keys
ssh-add with no args doesn't attempt to use same passphrase for both RSA and ...
Status: CLOSED WONTFIX
Product: Red Hat Linux
Classification: Retired
Component: openssh (Show other bugs)
7.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
: FutureFeature
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2000-11-20 12:58 EST by David Woodhouse
Modified: 2008-05-01 11:37 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2000-11-20 12:58:28 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
patch to provide requested functionality (1.78 KB, patch)
2001-01-07 17:15 EST, David Woodhouse 		no flags Details | Diff
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description David Woodhouse 2000-11-20 12:58:25 EST 
On most machines I now have both RSA and DSA keys, for connecting to SSHv1
or SSHv2 hosts respectively. I tend to give the keys the same passphrase -
I'm sure many people do the same. 

When adding both RSA and DSA keys, I believe ssh-add should attempt to
re-use the first passphrase given for the second key, and only prompt for a
second time if it fails.
Comment 1 Nalin Dahyabhai 2000-11-20 15:42:32 EST 
After a passphrase is read in and ssh-add attempts to use it to decrypt a key
file, it takes care to clear the memory used.  This leads me to believe that
reusing passphrases in this manner would be a Bad Thing.
Comment 2 David Woodhouse 2001-01-07 17:11:46 EST 
Remembering the passphrase for the duration of a single invocation of ssh-add
wouldn't open any new vulnerability. If you're paranoid about an attacker being
able to control/crash ssh-add and read the passphrase then the same applies to
getting decrypted keys from ssh-agent and you shouldn't be using them at all.
Comment 3 David Woodhouse 2001-01-07 17:15:04 EST 
Created attachment 7207 [details]
patch to provide requested functionality
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.