On Mon, Apr 30, 2012 at 9:58 AM, Mike Miller <mbmiller+l at gmail.com> wrote:
> I don't fully understand this, but I think it is a valuable idea that I
> should know more about.  It's one of those things that I've been wanting to
> get into for years but haven't gotten around to, yet.

Absolutely - it's 100% worth your time to figure out.

> One question:  If I have several Linux servers that I regularly log into via
> ssh, almost always from other Linux servers, if I use PKA to log into these
> machines, doesn't that mean that if someone manages to get into one machine,
> he'll be immediately able to get into all of them?  And would he also be
> able to acces enough information to connect again from other locations?

Nope - that's the beauty of public key cryptography. When you create a
keypair, ssh-keygen generates a public key and a private key. These
two keys are cryptographically-related. When you generate the keypair,
you can optionally encrypt the private key with a passphrase - I'd
highly recommend you do this. The private key is your identity, and
the key itself should never leave the machine it was generated on, nor
should it be shared with anyone. The reason it's best to encrypt the
private key is that if the key ever falls into the wrong hands, it'll
be relatively useless unless they manage to brute-force your
encryption passphrase. Anyway, the private key stays on your
workstation and only the public key gets put out onto the remote
server. The public key is *completely* public - it is impossible to
derive the private key from the public key, so feel free to email the
public key to people, get it tattooed on your arm, etc. :)

So to answer your question directly, if a remote system is
compromised, the most they can do is get your public key, which they
can't do anything with. An attacker would need to get at your
*private* key to do anything.

> I get your idea -- anyone connecting using the keys wouldn't be able to use
> sudo unless he knew the sudo password.  That's good, but can't that also be
> accomplished by having a sudo password that is different from the user
> password?  (Which is what I was asking about above.)  I have a different
> user password on every machine I log into, and I could easily also have a
> different sudo password, too.

While it's probably possible to do this, I've never actually seen it
used. Anywhere. Implementing PKA and choosing a strong "local"
password on the box is sufficient.

-Erik