2

I am currently undergoing a project of maintaining a server with certain simple services (mail, web) for a group of thirty users. I would like to use pub/private keys but I guess unsure of their use. Would each user have to have their own private and public key? Each user has a different public key and then one private key on the server machine? Or just one public key distributed to each user and one private key? I would really like to make sure I understand and fully learn this important concept! Thank you all!

DuckDuck
  • 21
  • User 68186 raises a good point. How do the users actually use the server? Do they access it remotely somehow? – Fabo.sk Feb 24 '15 at 22:47

3 Answers3

1

Public/Private keys are meant for administrators who manage many servers

Imagine you have installed Ubuntu in various family members' computer, who live in different cities. Periodically they call you to fix their computers. You want to remotely connect to these computers and fix them. This is where you may want to use public/private keys. The public keys will go to your various family members' computers. The private key stays safely with you. You can give the public key to anyone without any security risks. If your uncle's computer gets stolen with your public key, you need not worry about it. Just make another copy of your public key and put it in your uncle's new computer.

This is not the model of operation you have in mind. You have 30 users accessing one server. So each will need a separate pair of public and private keys. That is 30 private and 30 public keys.

Public/Private keys are not for normal mail and web services

Public/private key pairs are used in ssh protocol. I don't think they apply for mail and web services. There is a situation where public/private key pair is used in mail. That is for PGP or GPG encryption, where the receiver of the mail can be sure that it came from the sender. Here imagine you are planning a coup against your president. You want to send encrypted emails to your 30 followers. Most importantly your followers must be 100 percent sure that the email is from you and not from someone else trying to foil your plans. You create your private/public pair of keys and give a copy of the public key to your 30 follower. You encrypt your email using the private key. If your email can be decrypted by your followers using your public key, they will be 100 percent sure it came from you. This has nothing to do with how you or your your followers access the mail server. The encryption/ decryption is done in your/followers' computer.

In conclusion...

Unless you are planning to (1) give the 30 users command line access to the server using ssh protocol, or (2) you want all the users to use end-to-end encrypted emails, the public/private key is not for the situation you described.

If you envision (1) or (2) then each user will need to create their own private / public key pair.

For situation (1) all the 30 public keys will need to be stored in the ssh server that each user will have authorization to connect to.

For situation (2) each user will need to create their own private/public key pair. Then each user will need their own private key and the public keys of all the other 29 users to be able to read encrypted emails from the other users in this group.

Hope this helps

Community
  • 1
user68186
  • 33,360
0
 Would each user have to have their own private and public key?

if you want key based login and if that user need to login to the server then the user should have a public-private key pair of their own.

`Each user has a different public key and then one private key on the server machine?Or just one public key distributed to each user and one private key?`

Each user has his own public-private key pair. The private key is "Private", you must not share the private key with anyone. Whereas the Public key as the name suggests is "Public" and can be shared with as many servers you want.

Lets say you have your account having the same username (this is important) on 10 servers, you just need to create a key-pair. Now your Private key will just stay on your computer and you need to copy the same public key of yours to your home directory of 10 servers. Now when you will be trying to ssh into any of these servers you will be able to login without password. One important point to remember that key-pair is an attribute of username not the user's computer so you can use the private key for the user foo in another computer too (given there is no passphrase to unlock the key) that has the identical username foo to ssh into the servers.

Here is how to set up the key-based authentication.

Community
  • 1
heemayl
  • 91,753
  • It's not true that keys are locked to the username. I routinely use the same key pair for different users, sometimes even on the same system. – Fabo.sk Feb 24 '15 at 22:45
  • @Fabo.sk: You meant you have used the key-pair created by foo, for bar too without any modification? – heemayl Feb 24 '15 at 23:07
  • Yes. I have a key pair, and the same public key is used for (as example) sysadmin@serverA, personal@serverA and appadmin@serverB – Fabo.sk Feb 24 '15 at 23:11
  • Of course that also means the same private key stored on my PC. – Fabo.sk Feb 24 '15 at 23:12
  • @Fabo.sk: Well, the last portion of the public key contains the username, what did you do to that? – heemayl Feb 24 '15 at 23:23
  • Nothing. Well to be honest, I changed it to my full name and email address as is the standard where I work. The part after the closing character '=' is just a comment. – Fabo.sk Feb 24 '15 at 23:25
  • i think what you are doing is using the key-pair to login as whoever on what computer you want..thats is not a good thing to do..you can impersonate anyone anytime.. – heemayl Feb 25 '15 at 00:20
  • Anyway i am gonna put the user **must** have a public-private key pair of their own modified to the user **should** have a public-private key pair of their own. – heemayl Feb 25 '15 at 00:24
  • Uh, I am doing what now? I am definitely not impersonating anyone, I am using my key pair to manage passwordless login to a well defined set of servers as one of a well defined set of users in order to be able to maintain them - as is my job and responsibility to do – Fabo.sk Feb 25 '15 at 00:29
  • @Fabo.sk: I did not meant the way you are doing it..but in your case if the original owner of the pair is sysadmin, then personal and appadmin using the key pair generated by sysadmin..what do you think about that? it it cool/secured that i use your keys? – heemayl Feb 25 '15 at 00:33
  • What? No. I am the owner of the key pair. I keep my private key on my computers and then public keys are stored in respective user profiles in respective servers. – Fabo.sk Feb 25 '15 at 00:39
0

The Ask Ubuntu community wiki page is a great introduction to the topic here

It helps to get your head round it, and shows you the steps to set key based logins. The answer that @heemayl gave sums up how the key pairs are used.

Good luck!

Arronical
  • 19,893