SSH key authentication at server side

Question

I usually do ssh key authentication as follows:

generate key on client pc (# ssh-keygen -t rsa)
copy the key to server (using ssh-copy-id or by other means)
access server from client PC.

I have seen AWS servers (Amazon web servers) provide a key during server creation, which the client can then use to login.

Now I have a server with me in which I want to generate keys and distribute it to my clients. Every one with that key must be able to access to the server.

How can I achieve this?
How should I name these keys I distribute to clients? Is it Public key?

Am I missing any theory about public/private key here?

Presumably you're talking about the *private key*, and the importance of keeping it *private*. Yes, AWS (and others) do expose it briefly during server creation (over a TLS or similar session), which they deem a reasonable risk for their purposes. Is a reasonable risk for yours? Only you can determine that. — quadruplebucky, Jun 12 '17 at 10:42

score 18 · Answer 1 · answered Jun 12 '17 at 11:16

18

Don't do this. If all your clients use the same keypair to access the server, and one of your clients leaves, you can't remove their access without cutting everyone off.

At least, get each client to generate their own keypair and send you the public key (which is also somewhat less insecure than you sending them a private key), then put all the public keys into the server's authorized_keys file. Better still, create each client their own user account on the server as well, and put each client's public key into the relevant user account's authorized_keys file.

answered Jun 12 '17 at 11:16

MadHatter

79,770
20
184
232

Yes, I know the consequences. But this is a special case. – Midhun Jose Jun 15 '17 at 04:15
It always is. You've still presented no good reason to do it that way, and I don't think one exists. Don't do this. – MadHatter Jun 15 '17 at 06:04

score 4 · Accepted Answer · answered Jun 12 '17 at 10:47

4

Amazon linux uses key-pair as you do, but distributes a private key.

So, if you generate the user on server side you should add as usual the public key on /home/your_user/.ssh/authorized_keys, then distribute the private key to your client.

You should be aware of security concerns as "private keys are called private for a reason."

answered Jun 12 '17 at 10:47

Federico Galli

918
6
16

I have followed this and made it working. (1) generated key pair at server (2) added the pubic key to server 'authorized_keys' itself (3) shared the private key using which client can connect. – Midhun Jose Jun 15 '17 at 04:18

SSH key authentication at server side

2 Answers2