1

I want to create a ssh key, I wanted to know does it make any differences when I create the key as root and when I create it as user? like as a user I do this:

ssh-keygen -t rsa -C "your_email@example.com"

and it will save it in /home/user/.ssh/ v.s when I do sudo su as the same user as before and then create my ssh key, so it will save the keys in /root/.ssh

which one is the correct way to create my ssh key, as root? or as user? Thanks

Ladan Nekuii
  • 111
  • 2
    It entirely depends which user you want to start the ssh connection with. The keys can be copied and used for more than one user. – Bruno9779 May 03 '17 at 17:41

2 Answers2

7

There is no difference other than where the resulting keys are stored (and the file ownership and key comment).

Note that you should probably avoid using the root account for things that don't strictly need super user privileges, so creating SSH keys for root is seldom necessary.

In general: Create the key as the user who will use the key.

Also, about sudo su, see "Is there ever a good reason to run sudo su?"

Kusalananda
  • 333,661
2

Per the five security guideline from U.S. National Security Agency (which I include all of them for learning reason):

  1. Encrypt transmitted data whenever possible.
  2. Minimize software to minimize vulnerability.
  3. Run different network services on separate systems.
  4. Configure security tools to improve system robustness.
  5. Use the principle of least privilege.

The bold one apply to original post.

When you create an SSH key, a pair get generated

  • Public key, that ends with .pub. the public key reside in the server.
  • Private key, which is a secret and the decision to encrypt the private key depend on how big the damage could be if it get leaked, lost or stolen.

It does not matter who generated the key or where the private key reside. As long as you access to the privateKey and the corresponding publicKey is included in the authorized_keys file at the server. As root, try and authenticate by a regular user privateKey:

~# ssh root@server -o PreferredAuthentications=publickey -i /home/user/.ssh/server_key

Also it nice to include, you should always use ssh-keys and disable password authentication from the configuration file /etc/ssh/sshd_config.

~$ sudo cat /etc/ssh/sshd_config | grep PasswordAuthentication
#PasswordAuthentication yes
PasswordAuthentication no

&

$ sudo cat /etc/ssh/sshd_config | grep Pub
PubkeyAuthentication yes
Abdullah
  • 324