SSH public key authentication -- always require users to generate their own keypair?

Posted by schinazi on Server Fault See other posts from Server Fault or by schinazi
Published on 2011-01-12T23:52:38Z Indexed on 2011/01/13 0:55 UTC
Read the original article Hit count: 571

I was working with a partner today that I needed to upload files to my server using scp. I have passwords turned off in the server's SSH configuration, so I wanted them to use public key authentication. I generated the keypair for them on the server and gave them the private key and put the public key in the appropriate authorized_keys file.

After a bunch of problems with them setting up their job, they finally got a more experienced sysadmin involved on their end, and he scolded me for handling the key generation this way. He said that by giving them a private key generated on my system, I had enabled them to do a brute-force attack against other keys generated on the same server.

I even asked him "so if I have an account on a server, and I can log in with a password but I want to automate something and I generate a keypair on that system, does that then give me an attack vector for brute forcing other users' keys?" and he said yes.

I've never heard of this, is it true? Can anyone point me to a discussion of this attack?

Thanks in advance.

© Server Fault or respective owner

Related posts about ssh

Related posts about public-key