I think I know the answer, but I'll ask anyway...

I'm being given access to a remote server with SSH access. Who should generate the private/public key pair? My understanding is that I should generate the key pair and give the public key to the administrator of the remote server.

What actually happened is that I was sent both public and private keys in a plain text email, and expected to use them. Am I right in thinking this is a very Bad Thing?

  • 1
    The question is whether the process provides the level of security the particular use case requires. We don't know your use case. If the admin is used to dealing with idiots, he may assume people are incapable of generating a key securely or may even re-use one someone else sent them for some other purpose.– David SchwartzMar 16 '16 at 9:38
  • @DavidSchwartz fair point. However, the fact that I was emailed a private key in plain text from the admin doesn't bode well...!– Steve FollyMar 21 '16 at 15:31

It doesn't matter who generates the public/private key pair (as long as key generation and handling is done properly).

What matters is the confidentiality of the private key.

It is easier to maintain confidentiality when private key does not leave your machine (hence it is safer to generate locally on a client machine and share the public key).

A private key that was sent attached to an email is compromised unless it was protected by a high-entropy passphrase which was shared securely.

    It depends.

    The server admin can generate you a new public/private key and send them to you. In the same time he will configure your public key as authorized to log on the server.The security question is that he can keep also the private key and "steal" your identity to connect to this server.

    On the other hand, you can generate the public/private key yourself and send only your public key to the server admin so he can configure it as authorized to log on the server.

    Technically both are possible, but I really prefer the second option.

    The only constraint is that you have to generate a key using a type (dsa, rsa, ...) compatible to what is setup on the server. You can ask the server admin which keys algorithms are accepted.

      Yes, you should generate the public/private key pair. This is the simplest way to ensure that the private key remains secure. The expectation with ssh keys is that you can reuse the same key with multiple remote hosts, as long as your key meets the security requirements (algorithm and key length) of the administrators of those hosts. It is your job to keep your private key secure. If someone else is generating your private key, they have access to any machine where your public key is allowed. So if someone else is generating your key pair, you should not reuse this key pair anywhere.

      Yes, sending your private key via email is a very bad thing. You should start over with a new set of keys, especially because generating a new set is so easy.

      Send only the public key. It's OK to send the public key unencrypted over email.

        Your Answer


        By posting your answer, you agree to the privacy policy and terms of service.

        Not the answer you're looking for? Browse other questions tagged or ask your own question.