Is sharing private key a problem
Hi,
I generated a new private and public key pair using the following command -
ssh-keygen -t rsa
on my system
And shared it to a team in my company to put that on prod box.
Will that be a problem ? Can anyone take advantage of it. or hack into my system
Thanks
I generated a new private and public key pair using the following command -
ssh-keygen -t rsa
on my system
And shared it to a team in my company to put that on prod box.
Will that be a problem ? Can anyone take advantage of it. or hack into my system
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Yes this is a BAD(tm) thing in general. The impact of it may vary depending on issues Gelonida already mentioned.
From a private key a public key can be derived so it effectively is a complete set of keys.
A Private key is therefore named Private for a reason....., The public key use meant to identify YOU accessing someone else system/..
Also group access (aka account sharing) is to be discouraged on all accounts. Use private account with identifiable "tags" (aka usernames. etc.)
and for system where ADMIN access is needed create specific admin accounts for each of the admins.
(On unix system one can use sudo to allow specific non-privileged users to run specific commands as if they were root).
From a private key a public key can be derived so it effectively is a complete set of keys.
A Private key is therefore named Private for a reason....., The public key use meant to identify YOU accessing someone else system/..
Also group access (aka account sharing) is to be discouraged on all accounts. Use private account with identifiable "tags" (aka usernames. etc.)
and for system where ADMIN access is needed create specific admin accounts for each of the admins.
(On unix system one can use sudo to allow specific non-privileged users to run specific commands as if they were root).
ASKER
Now that my private key is created and others know it. Is there any way i can somehow disable it so that no one can misuse it.
yes never use this private key any more.
Generate a new one for user, get it signed with people you trust (like before, if needed),
Then replace all your private keys that are used anywhere with this fresh one.
(standard procedure in case of any private key compromise.
Generate a new one for user, get it signed with people you trust (like before, if needed),
Then replace all your private keys that are used anywhere with this fresh one.
(standard procedure in case of any private key compromise.
Remove the public keys from all the servers, so the old private key won't work.
Yep those too. And you need to do it rather sooner than later.
You asked, "Now that my private key is created and others know it. Is there any way i can somehow disable it so that no one can misuse it."
As suggested above, remove all public keys from everywhere.
Then generate a unique keypair for every person accessing a machine, then use something like this to propagate public keys to your servers...
I normally do this one machine at at time + the man page suggests you can target a user@host list for many machines.
As noci suggested, nuke the public key now... as what you've described is highly insecure.
As suggested above, remove all public keys from everywhere.
Then generate a unique keypair for every person accessing a machine, then use something like this to propagate public keys to your servers...
ssh-copy-id -i key.rsa.pub user@host I normally do this one machine at at time + the man page suggests you can target a user@host list for many machines.
As noci suggested, nuke the public key now... as what you've described is highly insecure.
You also set a bad precedent. If a user decides to share the key out to someone else, you won't know who did it. If one of the users got hacked, you'll also have a harder time tracking down which user got hacked. You'd also have to revoke the key for everyone.