[Cryptography] Secure universal message addressing
Ángel González
angel at crypto.16bits.net
Thu Apr 7 17:11:59 EDT 2016
On 2016-04-05 at 18:46 +0200, Ralf Senderek wrote:
>
> On Tue, 5 Apr 2016, John Gilmore wrote:
>
> >
> > The key idea here is a bad idea.
> >
> > ssh public key authentication has this problem too. Its default is
> > to assume that you want to use your same local identification to
> > identify you to every remote site that you try to access. What a
> > clueless idea. Luckily, ssh has survived despite this. If you
> > avoid its whole public-key-per-user aspect, you can use it reliably
> > with usernames and passwords, different on every site.
> Or a different public-key per server, all you have to add is a switch
> "-i differentprivatekey" to your ssh command (and disable password
> access altogether on the server).
>
> --ralf
The best way is to remove your keys from the default locations and
configure them in ~/.ssh/config:
Host host1.example.com
User john
IdentityFile /path/to/key-host1
IdentitiesOnly yes
Host host2.example.org
User jdoe
IdentityFile /path/to/key-host2
IdentitiesOnly yes
...and so on
NB that without IdentitiesOnly, the keys on your agent are tested
before the one provided in the config file or command line.
More information about the cryptography
mailing list