dsa vers rsa ssh key

Jason M. Leonard fuzz at ldc.upenn.edu
Sun Apr 3 22:56:55 PDT 2005

On Mon, 4 Apr 2005 nega at xxxxxxxxxxxxxx wrote:

Jason M. Leonard writes:
> An ssh identity file (such as id_dsa) contains a single key.
> Why do you want to do this?  You're pretty sure you are you, right?  And
> you're pretty sure you should be allowed to access both sets of machines,
> right?  If what you want to accomplish is to allow other users to access
> your work machines, make additional entries for their public keys in the
> target host's authorized_keys file.
What if you don't control the key policy of the machines you want to
connect to? What if you typically use a key size of 1024 bits, but the
remote machine requires a key size of 2048 bits? What if you want
access to my machine, but I provide you with the key? What if you're
paranoid and want to have a different key (and hopefully different
passphrase) for each machine you want to connect to?
I was not referring to theoretical situations; my questions were directed 
at the original poster, who only just now discovered the difference 
between DSA and RSA.  The simple solution is usually the right one, and it 
sounds to me like he is trying to make his life more complicated than it 
needs to be.  The average user sees no security benefit from maintaining 
multiple sets of credentials, for them maintaining a list of strong 
passphrases for each machine they connect to is absurdly complex.  My 
users (we use Kerberos tickets rather than ssh keys, but the same applies) 
connect to any of several dozen machines in the course of a day; they 
would revolt if I even suggested they maintain seperate credentials for 

> If you really want to do it the way you describe, the easiest way is to
> use RSA keys for one (id_rsa) and DSA keys for the other (id_dsa)--ssh
> will do the right thing with no additional options.  To get fancier, see
> the -i option in the man page.
That's not necessary. You can have a gazillion different DSA keys, as
long as they all have different filenames.
It isn't necesary; it is, as I said, the easiest way.  It requires no 
additional flags to ssh, nor any tweaking of any configuration files: 
drop the two keys in ~/.ssh and it Just Works.


More information about the Users mailing list