0

I note that when I use ssh-keygen to generate a public/private key pair, the public key file includes details of the user name and host on which the key was generated. Does this mean that this pair can only be used when communicating from this host? I would like to generate key pairs for a group of users and distribute them on to them, without them needing to know the details of the process.

Andy
  • 523
  • 6
  • 20

1 Answers1

1

The host and username info at the end of the public key file generated by ssh-keygen is a comment. You can edit it without affecting the key. Its purpose is to help any recipients of the public key in remembering whose key it is.

That said, transferring a private key needs to be handled with some care. Are your group members comfortable with the idea that you'll effectively have the ability to impersonate them (because you could have kept their private keys)?

Could you solve this instead by scripting ssh-keygen for them, and pushing their resulting public keys to a publicly accessible place?

Edit: why is this tagged [ssl]? If you're planning on using SSL/TLS (instead of SSH) you don't want to make your keys with ssh-keygen. You'll have a much easier time with openssl's key/cert-gen tools, e.g.:

openssl req -newkey rsa:3072 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem

(which will prompt you for all the info about whose key it is, and will put that info into the resulting self-signed certificate)

lockcmpxchg8b
  • 2,205
  • 10
  • 16
  • I can't script it because some of my users run on Windows, which requires putty afaik. My group trust me not to impersonate them - ultimately, I have root access to the machine they are connecting to in any case. I take your point about using 'openssl req' and will use this in future. I'll also drop the 'ssl' tag. Many thanks. – Andy Nov 24 '17 at 15:24
  • Hmm, when I use the openssl approach, I find that the file can't be appended to my authorised_keys file - which was something I was able to do with the ssh-keygen public key. Am I missing something? – Andy Nov 27 '17 at 13:38
  • Are you using SSL or SSH as your secure transport layer? (It sounds like you're using SSH, in which case `ssh-keygen` is the right tool. I was confused initially because this post was tagged ssl/openssl, which is a different thing.) – lockcmpxchg8b Nov 27 '17 at 17:36
  • Yup - I'm using SSH and related tools (sftp,scp etc). Guess I'll stick with ssh-keygen, until I manage to get my head round all this stuff. Thanks for your help and apologies for confusing matters! – Andy Nov 27 '17 at 20:41