-2

I like to upload my public key (eg: ~/.ssh/id_rsa.pub) to various servers that I connect to on various networks for work. I use this same public key on github. If I am on a shared user account and I put my public key there, can someone just take it and do something unfavorable with it? Is it generally not a wise idea to just have 1 Public key that you share amongst several servers?

Zombies
  • 515
  • 2
  • 6
  • 13
  • 1
    Downvotes... for what? Haven't been here in awhile, this place has really gone downhill. – Zombies Aug 01 '14 at 19:05
  • 10
    Probably a lack of research or the basicness of the question. It's a public key. The name tells you what you need to know - it's supposed to be made public. – HopelessN00b Aug 01 '14 at 19:18
  • Sorry, but that reasoning (public key is public) is only valid in an idealized world. In the real world there are some corner cases that may be worth considering, so this would be a legit question. – b0fh Jun 16 '17 at 12:07

2 Answers2

2

Yes it is safe. The basic idea of the key pairs is that the public key is only good to "verify" something encrypted with the private key. It's not possible to encrypt with that key in a way to somehow impersonate the original owner of the private key. (Edited for clarification)

That is why it's called "public".

The "private" key is the one you must lock away and never share, since that is the one used to generate encrypted data.

Edit: As pointed out in the comments (thanks!) the public key can also encrypt data that can be decrypted using the private key, but it doesn't allow the use of the public key to impersonate the private. This is the main idea of the use of "public" and "private" keys.

Marcelo
  • 755
  • 4
  • 5
  • You can encrypt with either key. Such crypttext can only be decrypted by the opposite key. – Andrew Barber Aug 02 '14 at 07:22
  • Yes but isn't authentication also part of public key cryptography? It's not only used for encryption (information hiding). My question is, if I just whore out my public key on every server I log into, can't someone just take it and impersonate me on somewhere? Or is the authentication using encryption to send/receive encryption/decryption challenges to the client? – Zombies Aug 02 '14 at 13:07
  • The key pair is not even used for encryption. The keys for encryption are generated using Diffie–Hellman key exchange at the start of the session. This in itself is secure against passive attacks, but not against active attacks. The key pairs are then used to sign the data exchanged during setup in order to protect against active attacks. – kasperd Aug 04 '14 at 13:39
1

Contrary to the general public opinion, no, there are still some things that an adversary can do with knowledge of your public key, though they are a bit far-fetched, and mostly security through obscurity. I mention them for the sake of completeness.

For instance, if your key was generated using buggy software, such as Improperly patched version of OpenSSL, it may be possible to guess your private key with various attacks of diverse sophistication In this case, revealing your public key may expose the fact that you are vulnerable, and tell your attacker he can actually break into your accounts.

If you are using ssh-agent, your ssh client will transmit the fingerprints of ALL your public keys to any server you connect to. This is better than letting the server disclose which keys are allowed to access the account. As a consequence, if you are of mischevious intent, and try to (crudely) break into ssh servers, you may unknowingly transmit your public keys, and this may get you identified later.

b0fh
  • 3,313
  • 1
  • 21
  • 32