1

I've reading about asymmetric cryptography and I know that the concept is to keep the private key to yourself and distribute the public key. But recently I accessed a remote server using SSH with a .pem file. The command I used to access was

ssh -i ./key/private_key.pem -l comp <ip_address> 

I checked the manual page for ssh and it says

-i identity_file

 Selects a file from which the identity (private key) for
 public key authentication is read.

I wonder why I was given a file with private key, how was I authenticated, and what did the server have?

7_R3X
  • 606
  • 3
  • 12
  • 25

2 Answers2

2

With -i you supply the private key to the server. The SSH daemon must be configured to accept public keys as an authentication method. When it is (and on most Linux distros this is the case for OpenSSH) then the server reads public keys from .ssh/authorized_keys. This file can contain multiple public keys from different users/hosts. Each public key occupies a single line in the file.

When your SSH client connects to the SSH daemon with a private key (default id_rsa in .ssh/), the private key is send after the ServerHello. The public key can verify the private key and from that point on the SSH connection is established.

Yorick de Wid
  • 3,346
  • 14
  • 22
  • Does it mean that the private key I sent to server with `-i` is actually my own private key(and created on my PC) and the server already had my public key(which also was generated on my PC along with the private key)? Because, what I had in my mind till now was that I'm using server's private key with `-i`. – 7_R3X Sep 07 '16 at 19:27
  • 1
    @7_R3X We don't know what you did with the keys, but it is common to generate the keypair on your local machine, then copy the public key to the server. – Yorick de Wid Sep 07 '16 at 19:39
2

You didn't send the server your private key with that command.

The server has a copy of your public key (just a number really)

You use your private key (actually a pair of numbers) to prove to the server that you are the holder of this key.

The private key is never sent over the wire for this. The proof is performed through some math magic that keeps your private key private and lets the server be sure you have it.

GnP
  • 2,299
  • 1
  • 15
  • 25