0

Is it safe if my server will create a SSH key pair for my client? Scenario: I(server admin) will create a ssh key pair and put public key into authorized_keys and give the private key to client so he can access my sftp server.

Allan Parcutela
  • 1
  • Hi @Archemar thank you for responding. but is it safe on the server part? to give out private keys which my server created? – Allan Parcutela Mar 22 '19 at 05:53
  • 2
    Your customer should be generating their own keys and securing them with a passphrase, then giving you their public key to store on the server you manage that they need to access. Their private key should never be given to anyone and it should be encrypted (i.e. secured with a passphrase). – kingmilo Mar 22 '19 at 06:46
  • 2
    Never generate a private key for someone else. Never accept a private key generated for you. – Kusalananda Mar 22 '19 at 07:01
  • @Kusalananda agreed in theory, but the sad reality is that a lot of end users don't necessarily have the know-how to generate an SSH keypair and will complain if you give them the instructions. – Shadur-don't-feed-the-AI Mar 22 '19 at 09:42
  • I think this is will apply to all Unixs, not just UNIX. – ctrl-alt-delor Mar 22 '19 at 09:50
  • If someone create a private key to you, then, it's no private anymore. If someone needs you to access, you just need to provide the public key... –  Mar 22 '19 at 16:31

3 Answers3

0

Quick $0.02 because I've got to get ready for work:

Assuming this server isn't protecting actual banks or national security-level secrecy, you're fine.

About the only potential risk I can imagine from this is if a hostile third party intercepted enough of those private keys and the exact time they were generated, they could use that to make predictions about the state and algorhithm of the server's random number generator, which might be useful in some very sophisticated attacks.

... Of course, if they can intercept that many of your private keys you have much bigger problems already.

The safest thing to do would be to let the client generate the keypair and use a trusted channel to send you the public key for inclusion into the authorized_keys file, but if that isn't an option for whatever reason, your main worry is going to be how to securely get the private key to the recipient and only the intended recipient.

Shadur-don't-feed-the-AI
  • 31,260
0

Your customer should be generating their own keys and securing them with a passphrase, then giving you their public key to store on the server you manage and that they need to access. Their private key should never be given to anyone and it should be encrypted (i.e. secured with a passphrase).

kingmilo
  • 138
-2

To allow access vith ssh/scp/sftp you can use public/private key pair. (*)

I you generate and install such pair you will controll who will access a specific part of your server (in your case sftp directory).

If you have two or more customer/partner, be sure to generate one key per partner.

This way customer1 will access customer1's part. If set correctly (**), private customer1's key will not access customer2's files, nor any other part of the server.

  • (*) assuming as noted by Shadur, that transfert is safe from prying eyes.
  • (**) using chroot if possible (this depend on your directory structure).

As noted in my (deleted) comment, this is also a matter of trust from customer's part, but that should be OK, customer already trust you with his file.

Archemar
  • 31,554