需要单独的SSH认证和SSH-Git签名密钥吗?

huangapple go评论76阅读模式
英文:

Do I need a separate ssh authentication and ssh-git signing keys?

问题

"Is it make sense?

Or using one SSH key for both purposes is secure?"

这两句句子的中文翻译如下:

"这有意义吗?

还是使用同一把SSH密钥安全吗?"

英文:

Is it make sense?

Or using one SSH key for both purposes is secure?

答案1

得分: 2

这有点取决于你的目标。

从技术角度来看,你可以使用相同的密钥来进行SSH身份验证和SSH数据签名,因为它们都涉及数字签名的应用,OpenSSH使用域分隔的方式来避免混淆。

在某些情况下,你可能希望拥有一个长期的签名密钥,用于比典型的身份验证密钥更长时间的用途(通常情况下,我在获得新笔记本电脑时会更换身份验证密钥)。 在这种情况下,最好将它们分开。 另一个需要将它们分开的情况是,如果你的签名密钥存储在YubiKey或类似的安全密钥上,而身份验证密钥则不在其中。

还要注意,你需要格外小心保护用于签名的密钥,因为身份验证签名会很快过期(与SSH连接一起),而Git提交可能需要在未来数年内进行验证。 但是,假设你采取了这些预防措施,没有理由不使用相同的密钥来进行两者。

英文:

It kind of depends on what your goal is.

There's no technical reason you can't use one key for both. SSH authentication and SSH data signing are both applications of digital signatures, and the way signatures are done with OpenSSH avoids confusion between the two since domain separation is used.

In some cases, you might want a long-term signing key that you plan to use longer than a typical authentication key (I typically rotate authentication keys every time I get a new laptop). In such a case, it would make sense to have them be separate. Another case where it might make sense to have them separate is if your signing key is on a YubiKey or similar security key, and your authentication key is not.

Note also that you'll want to take extra care to protect any key you use for signing since authentication signatures expire quickly (with your SSH connection), whereas Git commits may need to be verified years later. However, assuming you do so, there's no reason you can't use the same key for both.

答案2

得分: 0

GitHub文档“关于提交签名验证”包括:

SSH签名是最简单生成的。
您甚至可以上传您现有的身份验证密钥到GitHub,也用作签名密钥。

这意味着您可以同时使用一个密钥。

生成GPG签名密钥比生成SSH密钥更复杂,但GPG具有SSH不具备的功能。
GPG密钥可以在不再使用时过期或被撤销。
GitHub会显示使用这种密钥签名的提交为“已验证”,除非该密钥被标记为受损。
SSH密钥没有这个能力。

这就是为什么我总是更喜欢每个任务使用一个SSH密钥。
如果一个密钥出现问题,我至少知道它是用来做什么的。

英文:

The GitHub documentation "About commit signature verification" includes:

> SSH signatures are the simplest to generate.
You can even upload your existing authentication key to GitHub to also use as a signing key.

Meaning, you can use one key for both.

> Generating a GPG signing key is more involved than generating an SSH key, but GPG has features that SSH does not.
A GPG key can expire or be revoked when no longer used.
GitHub shows commits that were signed with such a key as "Verified" unless the key was marked as compromised. SSH keys don't have this capability.

That is why I always prefer using one SSH key per task. If there is an issue with one key, I know at least what it was used for.

huangapple
  • 本文由 发表于 2023年3月20日 23:48:13
  • 转载请务必保留本文链接:https://go.coder-hub.com/75792454.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定