Ssh – Why does a SSH public key sit on the server and not with the client

cryptographypublic-keyssh

I don't quite understand the theory behind keeping public keys on the server. In the lockbox analogy of public/private keys, to unlock Alice's box, Alice holds the private key while the public key is distributed to Bob. It would seem that the server plays the role of lockbox, so why does it hold the public key?

Best Answer

Keep in mind that the server DOES have a private and public key which is completely separate from the keypair you generate as a user. The private key for the server is usually stored with the server configuration and the public key is transmitted by the server when you attempted to connect. You client compares the server's public key against your known_hosts file. If used properly, this prevents MITM attacks.

You have the private key for your personal account. The server needs your public key so that it can verify that your private key for the account you are trying to use is authorized.

So using your example. Both Bob and Alice have private keys and public keys. The public keys which have been shared before hand or as part of the connection are used to verify the data encrypted by the private keys is legitimate. If the client doesn't have the public key, or has a different public key you will get a scary warning. If the server doesn't have the clients public key, you will not be allowed in.

Related Solutions

SSH Key – How to Create a Public Key from a Private Key

Use the -y option to ssh-keygen:

ssh-keygen -f ~/.ssh/id_rsa -y > ~/.ssh/id_rsa.pub

From the 'man ssh-keygen'

 -y      This option will read a private OpenSSH format file and print an
         OpenSSH public key to stdout.

Specify the private key with the -f option, yours might be dsa instead of rsa. The name of your private key probably contains which you used. The newly generated public key should be the same as the one you generated before.

SSH – What Does SSH Send During Key Negotiation?

in order to connect to an SSH server and authenticate with your public/private keypair you have to first share your public key with the server.

this is done by copying the public key for your private key to the server, and adding it to ~/ssh/authorized_keys either by copy/paste, copying id_rsa.pub to ~/.ssh/authorized_keys on the server or with cat id_rsa.pub >> ~/.ssh/authorized_keys, appending it to the list.

when you connect, the server uses your public key to sign a challenge, and your client uses your private key id_rsa to decrypt the challenge, re-encrypt it with the server's public host key and send it back.

the host verifies that you decrypted the challenge properly, by decrypting your response with its private key, and the client/host establish an encrypted connection, based on the shared data, not on your public/private keys.

at NO POINT in the exchange is your private key, or the host's private key exchanged or revealed to one another. your public key IS stored on the server, but that's why it is a PUBLIC key.

Best Answer

Related Solutions

SSH Key – How to Create a Public Key from a Private Key

SSH – What Does SSH Send During Key Negotiation?

Related Topic