On Thu, 2011-10-13 at 10:43 +0200, Gerd Hoffmann wrote: > Hi, > > > Sure, ssh keys are much harder to compromise than passwords, but > > _assuming a compromise has happened_ the consequences of using a single > > key for everything are just as bad as using a single password for > > everything. > > One ssh key per project doesn't make sense at all to me. They all would > be on my laptop, and in case it gets compromised the attacker can easily > snatch all the keys. I didn't claim it was necessarily a great approach. I simply disputed a bald assertion that there was absolutely zero exposure difference between using a single key for everything and using multiple keys. I never claimed that 'you should use multiple keys' or 'it's best security practice to use multiple keys' or anything like that; I simply took exception at the suggestion that there was absolutely no difference between the scenarios. > One ssh key per machine makes alot more sense. For outgoing ssh > connections from -- say -- shell.fedoraproject.org I wouldn't just copy > my private key from my laptop but generate a new one, then add it to > authorized_keys where needed. That's a sensible approach, sure. -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora http://www.happyassassin.net -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
