Solved SSH public-private keys management questions

mefizto

Well-Known Member

Reaction score: 11
Messages: 454

Greetings all,

I have switched from password based ssh(1) session establishment to public-private key based one. I have searched, but cannot find answer to the following questions.

1. After generating a public-private key pair and transmitting the public key to the remote host, do I delete the public key form the ~/.ssh/ directory at the local host?

2. Can I reuse the (same) public-private key pair for a plurality of hosts or is this a bed practice? If a different public-private key pair is to be used for each host, how do I select the correct key? Or is this handled automatically?

3. There are several public-private Host Keys in a /etc/ssh/ directory, which have been generated automatically. As I understand, they are used to authenticate the hosts. Same questions as in 2.

Kindest regards,

M
 

Bobi B.

Well-Known Member

Reaction score: 142
Messages: 336

  1. No point to do that, but you can always re-create public key from private one with ssh-keygen -y -f ~/.ssh/id_ed25519;
  2. Technically you can; it is a matter of a taste or a policy. To tell ssh(1) which key to use for respective host, add IdentityFile ~/.ssh/id_rsa-acme.com in host's configuration in ~/.ssh/config, or use -i command-line option ( ssh -i ~/.ssh/id_rsa-acme.com); check ssh_config(5);
  3. Host keys are in /etc/ssh. Their public keys are announced by sshd(8) to ssh clients to allow clients to authenticate the server; the idea is that client will remember server's public key and will expect the same public key on next connection. Even if someone manages to impersonate the server, in one way or another, they cannot provide the same public key or even if they do, they cannot decrypt data encrypted with that public key. You better leave /etc/ssh as it is :)
 

ekingston

Active Member

Reaction score: 57
Messages: 224

Greetings all,

I have switched from password based ssh(1) session establishment to public-private key based one. I have searched, but cannot find answer to the following questions.

1. After generating a public-private key pair and transmitting the public key to the remote host, do I delete the public key form the ~/.ssh/ directory at the local host?
Don't delete the public key from the host. You may want to use it to connect to other computers in the future.

2. Can I reuse the (same) public-private key pair for a plurality of hosts or is this a bed practice? If a different public-private key pair is to be used for each host, how do I select the correct key? Or is this handled automatically?
This is debatable. Most people I know have one public-private key pair that they use on all systems. Although they do have separate work vs personal key-pairs.

Personally, I generate a separate key pair for each device I have and add them all to the authorized_keys file on the servers I manage. I do this so that if a single device gets compromised, I only need to remove that key from the authorized_keys files on the servers. I don't have to re-generate and re-distribute to all devices. I also don't have any keys on my accounts on servers (although service accounts might).

3. There are several public-private Host Keys in a /etc/ssh/ directory, which have been generated automatically. As I understand, they are used to authenticate the hosts. Same questions as in 2.

Kindest regards,

M
Leave the host keys where they are. FreeBSD generates these automatically when you initially install the OS. So, they aren't generic.

If you are concerned, you can re-generate your host keys (see the sshd man page). Then you would also need to delete the old keys from your known_hosts file(s).
 

hukadan

Well-Known Member

Reaction score: 265
Messages: 414

Don't delete the public key from the host. You may want to use it to connect to other computers in the future.
I don't see the need to delete the public key. But if you do, you can still regenerate it using the private one. Per ssh-keygen(1):
-y This option will read a private OpenSSH format file and print an OpenSSH public key to stdout.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 7,423
Messages: 30,009

No need to delete the public key. The whole point of that key is that you can copy it everywhere, you can even post it to social media for the whole world to see. It's not the public key that provides the access, it's the combination of your private key and the public key that authenticates you.
 
OP
OP
M

mefizto

Well-Known Member

Reaction score: 11
Messages: 454

Hi SirDice,

thank you for the answer. I have a false impression that I understand how ssh works. My motivation was/is to decrease the clutter in my ~/.ssh, which contains ed25519 and rsa keys per server plus authorized_keys and known_hosts. And, since, as other participants have already noted one can regenerate the public key from the private key, I though that there is no reason to keep the public keys around.

Kindest regards,

M
 

thogard

New Member

Reaction score: 4
Messages: 12

Reducing clutter in ~/.ssh is a good thing.

Keys can open up risks that need to be addressed. Keys should only be used to pass one way through the security layers of a systems. So if and admin uses a key to go A->B->C, C should never have a key to B or A. A large number of mostly otherwise secure systems have been compromised because of loops of access via unprotected ssh keys. Someone gets one and bounces from host to host collecting more keys. It is very hard to audit a large group of systems to verify there aren't access loops which is why some places are now requiring keys and passwords for some hosts. Note that is different than a password protected key which the host can't verify.
 
Top