Is generating keys on a remote computer unsecure?

Question

Say I'm on machine A and have SSH access to machines B and C. I'm logged in to machine B. I generate keys on B that I use to authenticate my access from B to C.

I've read that you should never generate keys on a remote system "over the internet". Why?

For starters, you can't ever *really* delete them for the remote system! :) — theabhinavdas, Aug 11 '16 at 19:35
over SSH? people do this all the time, i don't see a major issue with it. — dandavis, Aug 11 '16 at 20:02
You can use the key forwarding (authentication agent), so that you can use your keys from host A, when authenticating from B to C. See option "-A" — cornelinux, Aug 11 '16 at 20:14

score 1 · Answer 1 · answered Aug 11 '16 at 20:27

I believe what is discouraged generating a key for use on a local machine remotely. The situation you outlined is secure (assuming machine A and B are both trusted machines) if you're simply generating keys on machine B (and keeping them on machine B!) for use on machine B to connect to machine C.

score 0 · Answer 2 · answered Aug 11 '16 at 20:33

Never generate a private key on a machine that you don't want have access to the private key. If you're going to put the private key on that machine anyway, then you can generate it there.

However, in your case, do you really want the private key on machine B? If you only ever access C through B while you're accessing B through A, then consider using SSH's authentication forwarding so that you only have your private keys on machine A.

Is generating keys on a remote computer unsecure?

2 Answers2