SSH host key: Is the public one necessary and should the key be password protected

2018-10-21 22:45:52

I was playing around with my SSH server side config sshd_config. I replaced my default SSH host keys with only one RSA key while I'm using Protocol 2 and key auth only.

ssh-keygen -f /etc/ssh/ssh_host_rsa_key -N '' -t rsa

This creates as expected two files

ssh_host_rsa_key

ssh_host_rsa_key.pub

While testing I found out it's not necessary to have the public key to establish a connection from the client.

When does the public key is necessary?

Furtheron I couldn't determine why it's necessary to have the private key password protected.

I am not certain what you mean by "I found out it's not necessary to have the public key" but you definitely need the public key to establish a connection. Either on the server-side or on on the client-side if you already have it saved from prior connections.

Because the private key is the most vulnerable piece. Imagine if it wasn't password protected, then an attacker who compromises your machine would have direct access

  • I am not certain what you mean by "I found out it's not necessary to have the public key" but you definitely need the public key to establish a connection. Either on the server-side or on on the client-side if you already have it saved from prior connections.

    Because the private key is the most vulnerable piece. Imagine if it wasn't password protected, then an attacker who compromises your machine would have direct access to the private key file. It adds another layer of security basically.

    2018-10-22 00:51:39