Bug 21135 - ssh-add with no args doesn't attempt to use same passphrase for both RSA and DSA keys
Summary: ssh-add with no args doesn't attempt to use same passphrase for both RSA and ...
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: openssh
Version: 7.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nalin Dahyabhai
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2000-11-20 17:58 UTC by David Woodhouse
Modified: 2008-05-01 15:37 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2000-11-20 17:58:28 UTC
Embargoed:


Attachments (Terms of Use)
patch to provide requested functionality (1.78 KB, patch)
2001-01-07 22:15 UTC, David Woodhouse
no flags Details | Diff

Description David Woodhouse 2000-11-20 17:58:25 UTC
On most machines I now have both RSA and DSA keys, for connecting to SSHv1
or SSHv2 hosts respectively. I tend to give the keys the same passphrase -
I'm sure many people do the same. 

When adding both RSA and DSA keys, I believe ssh-add should attempt to
re-use the first passphrase given for the second key, and only prompt for a
second time if it fails.

Comment 1 Nalin Dahyabhai 2000-11-20 20:42:32 UTC
After a passphrase is read in and ssh-add attempts to use it to decrypt a key
file, it takes care to clear the memory used.  This leads me to believe that
reusing passphrases in this manner would be a Bad Thing.

Comment 2 David Woodhouse 2001-01-07 22:11:46 UTC
Remembering the passphrase for the duration of a single invocation of ssh-add
wouldn't open any new vulnerability. If you're paranoid about an attacker being
able to control/crash ssh-add and read the passphrase then the same applies to
getting decrypted keys from ssh-agent and you shouldn't be using them at all.


Comment 3 David Woodhouse 2001-01-07 22:15:04 UTC
Created attachment 7207 [details]
patch to provide requested functionality


Note You need to log in before you can comment on or make changes to this bug.