dsa vers rsa ssh key

nega at exmachinae.net nega at exmachinae.net
Sun Apr 3 21:48:06 PDT 2005

Jason M. Leonard writes:

 > An ssh identity file (such as id_dsa) contains a single key.
 > Why do you want to do this?  You're pretty sure you are you, right?  And 
 > you're pretty sure you should be allowed to access both sets of machines, 
 > right?  If what you want to accomplish is to allow other users to access 
 > your work machines, make additional entries for their public keys in the 
 > target host's authorized_keys file.

What if you don't control the key policy of the machines you want to
connect to? What if you typically use a key size of 1024 bits, but the
remote machine requires a key size of 2048 bits? What if you want
access to my machine, but I provide you with the key? What if you're
paranoid and want to have a different key (and hopefully different
passphrase) for each machine you want to connect to?

 > If you really want to do it the way you describe, the easiest way is to 
 > use RSA keys for one (id_rsa) and DSA keys for the other (id_dsa)--ssh 
 > will do the right thing with no additional options.  To get fancier, see 
 > the -i option in the man page.

That's not necessary. You can have a gazillion different DSA keys, as
long as they all have different filenames.

Also, the ssh/scp(1) option '-i' isn't necessary if you take the trouble
to create your ~/.ssh/config file. Using the 'IdentityFile' directive
you can specify which key file to use for which host. For instance:

Host =
  Protocol = 1,2
  IdentifyFile = ~/.ssh/nega at rsa1

Host =
  IdentifyFile = ~/.shh/nega at iddsa

Host = *
Protocol = 2,1

The above means:

1) when connecting to .1 use protocol 1 first, and use the key-file
   '~/.ssh/nega at rsa1'.  (Note: ssh uses ~/.ssh/identify as the default
   RSA1 key)

2) when connecting to .170 use the key-file '~/.ssh/nega at iddsa'.
   (Note: ssh uses ~/.ssh/id_dsa as the default DSA key)

3) all other hosts, use protocol 2 before protocol 1

Something to take note of: ssh will use ~/.ssh/id_rsa before using
~/.ssh/id_dsa if both exist.

I'm refering to OpenSSH when I say 'ssh'

More information about the Users mailing list