1

I was playing around with my SSH server side config sshd_config. I replaced my default SSH host keys with only one RSA key while I'm using Protocol 2 and key auth only.

ssh-keygen -f /etc/ssh/ssh_host_rsa_key -N '' -t rsa

This creates as expected two files

ssh_host_rsa_key
ssh_host_rsa_key.pub

While testing I found out it's not necessary to have the public key to establish a connection from the client.

  1. When does the public key is necessary?

  2. Furtheron I couldn't determine why it's necessary to have the private key password protected.

codekandis
  • 113
  • 4

1 Answers1

2

Q2. sshd host keys should not be password protected. If they are, sshd can't read them (unless you set up a host agent and preload it which is rare). This is because sshd is designed to run in background and cannot get the password(s) from the user, especially because it is usually started automatically at boot before any user is even logged-in. Instead the files for the sshd host key(s) should be secured against access by any userid other than the one which runs sshd, normally root, and that userid should be well protected and not used unnecessarily.

Q1. sshd does not need a separate .pub file because it can automatically compute the publickey from the privatekey. In contrast the client ssh (unless using an agent) usually wants to use the publickey for a userauth 'probe' before prompting for the password to actually use the privatekey, and this requires a separate .pub file except when using OpenSSH's 'new format' keyfile, which is required for Ed25519 since IIRC 6.5, and the default for all keys since 7.8 about a month ago. Since ssh-keygen doesn't know which you want, it always generates a .pub file, which does no harm if unneeded -- even if it is not secured, since it is public.

dave_thompson_085
  • 9,759
  • 1
  • 24
  • 28