1

We have a tectia SSH server to which third-parties connects and pull data. I always generated the public private key pair and provided the third-parties the private key with which they can connect. Now a new third-party wants to connect and they want to generate the key pair and provide us with the public key. Is there any downside to this?

ichayan
  • 11
  • 2
  • 4
    Providing others with your public key rather than a third party sending you a private key is actually the recommend way to use public key authentication. Keep the private key exactly that, private and only share public keys. – HBruijn Jun 24 '19 at 10:40
  • Thank you for the quick clarification. I will take the public key from the third-party. – ichayan Jun 24 '19 at 10:45

1 Answers1

1

Just to clarify: The point of asymmetric key encryption is for the sender to be able to encrypt data without having the key necessary to decrypt it. This means that the public key truly can be public, but it also means that the private key should be kept safe at all times and definitely should never be transferred across an untrusted link.

The new third-party is correct in their insistence that they create their own keypair and only send you the public part of it.

Depending on the value of the data exchange with existing third-parties you may want to send them instructions on how to create their own keypairs to replace the ones with potentially compromised private keys that are in use today. In real life the risk is probably not high unless you were specifically targeted at the time of transfer, but there's nothing wrong in making sure.

Mikael H
  • 4,868
  • 2
  • 8
  • 15