52

I need to send my SSH Public Key to one of my customers, but I am not quite sure how to do this. I have already created a SSH key pair on my computer, but now I am stuck.

CJ Hill
  • 521
  • 1
  • 4
  • 8
  • 1
    Normally, you send an *important* public key through a channel you consider to be safe. For instance you give it in person using an *usb stick* and check if the checksum is still correct, so that nobody tampered with the *usb* stick as well. – Willem Van Onsem Apr 11 '15 at 23:49

4 Answers4

32

If you generated a key pair you should have two files id_rsa and id_rsa.pub (note that id_rsa may be replaced by an other name if you specified it).

The public key (so the *.pub file) is the one which is meant to be shared so this is the one you should send to your customer.

However note that even though this file is public it is important that your customer receives the one you generated. If someone were to temper the file they could impersonate your server with the security issues this implies. So it is up to you to decide of a safe medium to share this file: This could be a physical USB key given from hand to hand, a secured messaging service or any other secured communication channel you have with your customer.

statox
  • 2,827
  • 1
  • 21
  • 41
  • 2
    Ok. So just send that file, through like an email or something? – CJ Hill Apr 11 '15 at 22:58
  • 3
    Since it's a public key it isn't meant to be encrypted, it only allows to authentify your private key (which should never be shared publicly) so yes you can send it via email. – statox Apr 11 '15 at 23:01
  • Ok. Last question. If I want to send it through email, how do I attach the public key file, since it is in a hidden folder? – CJ Hill Apr 11 '15 at 23:04
  • You could simply move it to a none hidden folder. In command line you can do `mv /path/to/public/key ~/`to move your key to your home folder. – statox Apr 11 '15 at 23:08
  • Would I have to move it back to its original folder when I am done? – CJ Hill Apr 11 '15 at 23:10
  • The public key is only used by the server, the client (your pc) doesn't need it so you can do whatever you want with it. I usually delete it from my pc but it's not mandatory. – statox Apr 11 '15 at 23:12
  • 12
    @statox: the problem by simply emailing is however that it is not safe for a *man-in-the-middle attack*. Say *Trudy* wishes to interfere between the communication of *Alice* to *Bob*. She captures the email containing the public key, and replaces it with her own key, she also stores her own key. Now she sends an email to Bob with her own key. Now for each email Alice sends to Bob, she can modify the content, and resign it with her own key, such that Bob thinks it's Alice's key. – Willem Van Onsem Apr 11 '15 at 23:48
  • Indeed that's right. The solution would be to encrypt it before sending it? – statox Apr 11 '15 at 23:50
  • 2
    @statox: well the problem is how to communicate the encryption key as well. In order to do it safely, or you store it on a certified https webserver, such that the communication is at least considered to be rather safe, or you give the key in person, or in person. For instance at a [*keysigning party*](http://en.wikipedia.org/wiki/Zimmermann%E2%80%93Sassaman_key-signing_protocol) using the Zimmermann-Sassamann protocol. – Willem Van Onsem Apr 11 '15 at 23:52
  • @CommuSoft: I didn't know the keysigning party that a brilliant way to do that! – statox Apr 11 '15 at 23:58
  • @CJ Hill: Sorry for the unprecision of my answer. – statox Apr 12 '15 at 00:00
  • @statox Its ok :) I still appreciate your answer. Let's just hope no one hacks my computer hah. Nah. I think I should be ok – CJ Hill Apr 12 '15 at 00:02
  • @statox: well the nice thing is the *web-of-thrust* aspect I think. You don't have to meet everybody in person to have confidence in their keys. Say *Alice* went to a party and has the key of *Dave*, and she already safely exchanged keys with *Bob*, she can sign the public key of *Dave* such that *Bob* can be confident that the key he receives from *Alice*, is indeed the one of *Dave*, of course it all matters how much you trust people. If *Alice* would modify the key of *Dave*, *Bob* has a problem. – Willem Van Onsem Apr 12 '15 at 00:08
  • @CommuSoft: You're right. One other problem with this protocol would be the logistic in real life i guess: When a great number of people need to exchange their key or when people are far from each other, organizing such parties is not always possible. (Even if -as you said- you don't need to meet other people and can create other meetings it really slows the process) – statox Apr 12 '15 at 00:13
  • @statox: well that's where protected servers can indeed solve the logistic problem. Altough if I receive a key through https, I still mark it as "partly unsafe", the same for second degree keys. It's always a matter of how much you trust somebody. Every year there is a key signing party at *fosdem* in *Brussels*, so in general these partys are organized *along* conferences of course. People don't go for the keys itself, but it's a nice side-effect of being there anyway. – Willem Van Onsem Apr 12 '15 at 00:21
  • @CommuSoft: What do you call a second degree key? A key that you receive from someone who isn't the owner of the key like the situation you described in your previous comment with _Alice_ signing the _Dave_'s key for _Bob_? – statox Apr 12 '15 at 00:26
  • @statox after receiving the id_rsa.pub through email, I pasted it inside ~/.ssh/authorized_keys file. But logging inside the remote machine is still asking for password. Am I missing something? – Prasanth Ganesan May 27 '20 at 06:46
  • 1
    @PrasanthGanesan yes you probably are missing something but the comments of this answer are not the right place to ask a new question. You should ask your own question but I'm pretty sure this has already been answered before on this site. – statox May 27 '20 at 07:22
17

This is way late but could be easier then just sending hidden files if you are on a unix based system.

Just do: 

pbcopy < ~/.ssh/id_rsa.pub

This will copy your public key to your clipboard. So basically just do a paste anywhere you want to paste your key for sending it.

kratos
  • 2,465
  • 2
  • 27
  • 45
5

It's a public key, so theoretically, the channel you use does not have to be encrypted.

Yet, it has to be a channel that prevents a potential attacker from tampering with the key/message. In the worst case the attacker might replace your public key with his own public key, potentially gaining an access instead of you.

So in practice, the best is to use an encrypted channel anyway. At least make sure that your email client uses an encrypted connection to the mail server; and hope that your mail server dispatches the email further using encrypted connection too.

Martin Prikryl
  • 188,800
  • 56
  • 490
  • 992
  • To minimize the chance of successful MITM tampering, I would suggest to simply email the public key, compute the sha256 hash of it on both ends after receipt, then verify some part of the hash over the phone or similar. – ack Feb 06 '21 at 14:47
4

By default your SSH public key on Unix/Linux/OS X is located in your HOME directory in .ssh/ folder in id_rsa.pub file. So you can send that file without any issues, as your private key is in id_rsa, so your credentials are not exposed.

So basically either send ~/.ssh/id_rsa.pub file or execute in the terminal:

ssh-add -L

command and copy the printed line, so you can paste into your e-mail.

kenorb
  • 155,785
  • 88
  • 678
  • 743