Did I just send my private ssh key?



I was setting up ssh for git following this guide. I used the key before on another system successfully, expecting it to work now too I tested it with:
ssh -v -T git@github.com
And received the following:

OpenSSH_6.4, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 51: Applying options for *
debug1: Connecting to github.com [] port 22.
debug1: Connection established.
debug1: identity file /home/user/.ssh/id_rsa type 1
debug1: identity file /home/user/.ssh/id_rsa-cert type -1
debug1: identity file /home/user/.ssh/id_dsa type -1
debug1: identity file /home/user/.ssh/id_dsa-cert type -1
debug1: identity file /home/user/.ssh/id_ecdsa type -1
debug1: identity file /home/user/.ssh/id_ecdsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.4
debug1: Remote protocol version 2.0, remote software version libssh-0.6.0
debug1: no match: libssh-0.6.0
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-sha1 none
debug1: kex: client->server aes128-ctr hmac-sha1 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: RSA 16:27:ac:a5:76:28:2d:36:63:1b:56:4d:eb:df:a6:48
debug1: Host 'github.com' is known and matches the RSA host key.
debug1: Found key in /home/user/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/user/.ssh/id_rsa
debug1: Authentications that can continue: publickey
debug1: Trying private key: /home/user/.ssh/id_dsa
debug1: Trying private key: /home/user/.ssh/id_ecdsa
debug1: No more authentication methods to try.
Permission denied (publickey).

Apart from the obvious Permission denied (publickey), it looks like ssh could not distinguish between the private key id_rsa and the public one id_rsa.pub. Which are both in /home/user/.ssh/.

So did I just send my private key to git@github.com?

What I already tried:

#Create new public key
ssh-keygen -y -f ~/.ssh/id_rsa > ~/ssh/id_rsa.pub

#id was added
ssh-add -l
2048 ==numbers== home/user/.ssh/id_rsa (RSA)

#Check the permissions
ls -l ~/.ssh
-rw-------. 1 user user 1675 Sep  3 09:53 id_rsa
-rw-r--r--. 1 user user  381 Jan 23 09:21 id_rsa.pub
-rw-r--r--. 1 user user 1371 Jan 23 09:30 known_hosts

#Take a look at /etc/ssh/ssh_conf
Host *
    GSSAPIAuthentication yes
    ForwardX11Trusted yes
        ServerAliveInterval 300 
    ServerAliveCountMax 2
#Looks alright to me...


Posted 2015-01-23T09:20:19.203

Reputation: 163



No, you didn't send your private key. What SSH does here is just group the public and private keys by their name. For example, id_rsa refers to the keypair id_rsa and id_rsa.pub.

"Offering public key" means that it sends your id_rsa.pub to the server. The server then generates an encrypted auth token using the public key.

When it says "trying private key", it will try to decrypt that authentication token with the corresponding private key, and send that back to the server for verification.


Posted 2015-01-23T09:20:19.203

Reputation: 182 472

Thanks! I found it hard to believe ssh would do that myself. Now that would mean the Permission denied (publickey). error is not caused by ssh sending the wrong key but one of the usual causes. – crunsher – 2015-01-23T09:39:40.997

Yeah, it could be permissions or one of the usual suspects :) – slhck – 2015-01-23T09:46:25.207

3To nitpick, ssh doesn't actually read the .pub file. It just reads the private key file. The public key can be extracted from the private key. ssh-keygen has an option to read a private key and output its public key. – Kenster – 2015-01-24T22:45:07.440

2@Kenster: No, it does read the .pub file as well – so that it could query the server about the public part, before having to ask you for the decryption passphrase. (OpenSSH needs this as the entire file is encrypted. PuTTY's key format, otoh, doesn't encrypt the public half so a separate .pub file is not needed.) – user1686 – 2018-05-30T15:19:12.527