12

I have a script that I use to setup new slices on slicehost and one of the steps is to add my public key to the authorized_keys file. At the moment I scp a key manually, but ideally I would have the script download the key.

So if my public key was very public what's the worst that could happen ? :)

Peter Coulton
  • 231
  • 2
  • 7
  • You shouldn't forget that having a script download the key may introduce other security holes, in case someone manages to MitM your source server. – user1686 Apr 13 '10 at 16:19

5 Answers5

18

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAtKYac1ZiC43jF6BdclPok0Yv2g4YecBVJ6a7qggOSGjRAxh2cckwCBUR6VoVc2vmt9tcHCLWuVVpKUTUynbMdWq8wOdbK7Ud7n63cpg1PL44Hg9Wn2kT/aJdMMABSE5wSNsffxslcoUhF4h0mHaf+X6E5IKVhhHsy2g1yeoc2//0Q5YPt5Kj72VY1j3aeZ8a/tqSHu5rZpFYDddnv0ARWIgSvh7jUudKT9phLUiryX9TCyGVKFCrvVKwexjAmOz63pvWtX0TJughWskvDP1ZREkhjkxtCxofwn0NG1QSbbEgGYBLf3T1Pgfkhx83Uce01Aw1hBqdl228NRg0cv0KaQ==

Jeff Atwood
  • 13,104
  • 20
  • 75
  • 92
einstiien
  • 2,568
  • 18
  • 18
14

There is a reason it is called a "Public Key" It is ment to be let out into the wild. the worst that could happen is that someone could encrypt files in such a way only your private key could decrypt it.

Now if you lose you private key ... that is a whole 'nother can o worms.

Zypher
  • 37,405
  • 5
  • 53
  • 95
  • @Chris S: Fake-replacement? What? It's a public key. There's no reason it *shouldn't* be available to the entire world, other than being too lazy to upload it somewhere. – Alex Holst Apr 12 '10 at 19:11
  • 1
    Alex, I imagine that Chris is suggesting that keys with matching fingerprints are fairly easy to generate. While that's reasonably true for the SHA-1 or md5 hash of the key, of course, the keys themselves are completely different. – Jon Lasser Apr 12 '10 at 19:30
  • 2
    @Chris S - Alex is right. There's no reason to protect your public key at *all*. In your supposed "fake replacement" scenario, ssh host key mismatch would be a red flag. – EEAA Apr 12 '10 at 19:30
  • Fair enough, I retract my obviously flawed comment. I'll keep my keys to myself regardless. – Chris S Apr 13 '10 at 02:26
4

For PGP, whose encryption is fundamentally similar to what SSH does with public keys, public key servers are offered. Through them, the goal is to propagate public keys as widely as possible.

It's infeasible to reverse-engineer a private key from a public key. In fact, that's the whole point of public-key cryptography: given appropriate key lengths, it just can't be done, and the data will be secure no matter how widely the public key is shared.

(Note that "it just can't be done" is dependent upon certainly widely-held assumptions about higher mathematics not being proven false. But if that happens, you'll have bigger things to worry about...)

Jon Lasser
  • 970
  • 5
  • 7
0

Your public key is... not your private key. Anyone can have a copy of your public key, no harm sharing it with the world.

fsckin
  • 573
  • 4
  • 9
0

A very old Question, But let me pitch in.... Can't stop..

Sharing your Public key on Wikipedia, or on a Public key ring is one thing, vs attaching this to the .authorized_keys on your Server, When you attach all of your Public key's to each of your server irrespective of the roles, then, you are exposing yourselves to a risk, If the private key is lost, All of your servers are compromised...

Shree Mandadi
  • 181
  • 1
  • 6