5

I have set up authentication with a remote system using SSH. I sent the sysadmin the public part of the SSH key (*.pub).

What are the implications of keeping this public key on my machine? Is it good security practice to delete/'shred' this public key?

kabZX
  • 151
  • 3
  • At least for OpenSSH, which is the only implementation I know to use the `idblah.pub` naming scheme, as long as you have (access to) the privatekey you can recreate the publickey file trivially (with `ssh-keygen -y`). This is more or less inherent in the concept of public-key crypto, as stated in the answers. – dave_thompson_085 Jun 30 '17 at 02:04
  • Very much related, might even be a duplicate: [SSH - If Eve has the passphrase and public key, can she derive the private key?](https://security.stackexchange.com/q/153750/2138) – user Jun 30 '17 at 07:54
  • Why would you want to get rid of it? Typically you'd use the same public key for other services, too. Public key encryption is meant to be secure enough that it can be widely reused (because the private key -- the part that must be kept secret -- is supposed to never leave your machine and never even be seen by anyone else). – Kat Jul 04 '17 at 21:33

3 Answers3

5

The whole point of your public key is that you can share it with anyone. It doesn't matter if someone gets it, it doesn't matter if it's on your machine.

It isn't a target for attackers so it would be of no value to anyone in having it on your machine. It does have a benefit in keeping it: you can then easily share it.

(Yes, I know there is a possible attack vector if an attacker had the public key and had a way to impersonate the server you are trying to connect to, but if they are prepared to do that you have greater issues)

Rory Alsop
  • 61,474
  • 12
  • 117
  • 321
2

You should keep it. As already mentioned, it can be anytime recreated from the private key and there is nothing that could be done with this key in case it would get to "bad people". They can already download it from your github or someplace else.

What is worth mentioning, the OpenSSH can make use of this separately stored public key in case the private is encrypted. In that case, it can try the public key without asking you for a passphrase of that private one.

Without this key, OpenSSH would ask you for a passphrase for every connection (even to other servers) if the key is in one of the default locations.

Jakuje
  • 5,389
  • 17
  • 31
0

It's public which means it's fine to keep if you need it for further use. It's more important you don't share or loose the private key.

ISMSDEV
  • 3,272
  • 12
  • 22
  • I think when you loose the private key game is over, has no sense to keep pu key. But I agree, it worths to keep pub key. – VovCA Jun 29 '17 at 21:21