Re:Re: ... about SSH
In response to HanzBrix
What does it actually accomplish? If we assume a bad actor got onto your device, they managed to get your passphrase as well. In what scenario would the bad actor not have the passphrase for the second key as well?
It sounds to me like you're breaking the cardinal rule of passwords: NEVER USE THE SAME PASSWORD EVER!!!
In all seriousness though, every key should have it's own password, and every client has its own set of keys. Most cases you won't know about a security breach until a key is used and at that point its just good policy to change all keys and all passwords on everything since you can't really know what it is the bad actors know.
But this also speaks to conservatives actions reduce your attack vector. There is no reason to have a key on a given client if you never interact with the service from it. You would never have SCM keys on your the server you deploy to. There is no reason your webhost would need to commit code changes. Same goes for your other systems. Dont put keys on your cell phone if you have no justification to ever access your server from it.
$ published: 2024-10-08 18:45 $
$ tags: #unix $
-- CC-BY-4.0 jecxjo 2024-10-08
Source