ssh security question

I just regenerated the keys on one of my F14 systems. I am still able to
access systems which don't have the new public key in their
authorized_keys file. The one thing I did differently this time was that I
did an ssh-add after I regenerated the keys. I did the ssh-add because
putting the new public key into the authorized_keys files of my other
systems wasn't sufficient to give me access. After the ssh-add I could
access the other systems, however I could also access systems that don't
have the new authorized_keys file.

Does ssh-add keep the old keys in the authentication agent as well as the
new key? This would negate the value of changing keys if true.

On Mon, 2011-11-14, General Schvantzkoph wrote:
....
> Does ssh-add keep the old keys in the authentication agent as well as the
> new key?

Ask your agent: ssh-add -l

> This would negate the value of changing keys if true.

If you delete your old key and plan to keep the agent running for a
long time, you should probably remove the old key from the agent too,
yes. Once again, use ssh-add to do that.

/Jorgen

--
// Jorgen Grahn <grahn@ Oo o. . .
\X/ snipabacken.se> O o .

General Schvantzkoph <(E-Mail Removed)> writes:
> I just regenerated the keys on one of my F14 systems. I am still able to
> access systems which don't have the new public key in their
> authorized_keys file. The one thing I did differently this time was that I
> did an ssh-add after I regenerated the keys. I did the ssh-add because
> putting the new public key into the authorized_keys files of my other
> systems wasn't sufficient to give me access. After the ssh-add I could
> access the other systems, however I could also access systems that don't
> have the new authorized_keys file.
>
> Does ssh-add keep the old keys in the authentication agent as well as the
> new key? This would negate the value of changing keys if true.

I disagree. If you want to revoke the old key, you need to remove its
public half from all the authorized_keys files that list it.

--
http://www.greenend.org.uk/rjk/

On Nov 14, 11:15*am, General Schvantzkoph <schvantzk...@yahoo.com>
wrote:

> Does ssh-add keep the old keys in the authentication agent as well as the
> new key? This would negate the value of changing keys if true.

There's no point in changing keys. The point is in changing *locks*.
Sure, if you change the locks on your back door, there's no security
advantage to throwing away the key to your front door. But if you
change *locks* so that only a new key is accepted *by* *the* *lock*,
then there's a security advantage.

Throwing away a key conveys no security advantage. That's is correct.

DS