Mailing List Archive

On 17.08.22 12:22, Corinna Vinschen wrote:
> So the PIN prompt identifies the key by filename, while the user
> presence prompt identifies the key by its fingerprint.
>
> Isn't that a bit puzzeling to the user? Wouldn't it make more sense to
> use the same identification string, be it either the filename, or the
> fingerprint, but not both?
>
> If my question makes any sense at all, I would prefer the filename.
> It's much easier to recognize than a fingerprint.

There actually is a more general context (beyond FIDO and other secure
storage forms of keypairs) to that. Observe:

> $ ssh-add .ssh/id_ed25519
> Enter passphrase for .ssh/id_ed25519:
> Identity added: .ssh/id_ed25519 (Jochen.Bern+ed25519@Binect.de)

> $ ssh-add -l
> 256 SHA256:hs4PHi7JJYXm+7jRxoHy2PYmBlVQNZw7eRYba3IExss Jochen.Bern+ed25519@Binect.de (ED25519)

So, file, file+comment, (size+)fingerprint+comment(+type).

Of course, as soon as an SSH agent comes into play, the name of the file
the (priv)key(pair) was originally loaded from is likely forgotten. Or,
if the agent is forwarded, outright meaningless. And we all know that
the comment is trivial to change (the key type wasn't in there when I
*created* the keypairs, I added it when I found that it helps telling
multiple keypairs apart when sshaskpass makes an appearance - stating
comment+fingerprint). Which currently leaves the fingerprint as the
"best to handle"¹ *immutable* ID ...

(¹ Think "sshaskpass and a) entire pubkey in hex or b) ASCII art")

Regards,
--
Jochen Bern
Systemingenieur

Binect GmbH
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev