On 2018-06-04,
jc09...@gmail.com <
jc09...@gmail.com> wrote:
> On Saturday, November 21, 2015 at 1:10:09 PM UTC-5, JimR wrote:
>> I'm trying to better understand ssh.
>>
>> User foo on machine bar generates a keypair, and provides the public key
>> to remote user dokes on machine shme . foo connects to dokes account
>> at shme, and everything is happy.
>>
>> Then user foo also has an account on machine baz. He takes the private
>> key he generated on machine bar, and copies it to machine baz. Can he
>> connect to dokes on shme? My limited testing suggests that it works.
>> Is that a universal truth?
Yes.
Note that there are two keys, a machine key pair, and a personal key pair. The
machine keys are to ensure that you actually connect to the machine you claim
to be connecting to. (the public keys of those machines are stored in
your local machine. It you have never connected to it before, it asks if you
ae sure that you are connecting to the right machine, and if you assure the program you
are it stores the other side's public key on your machine, so you do not have
to give that assurance again) The personal private key is used for the other side to make sure that it
is actually you loggin in (your machine uses the private key to sign a message
which the other side decodes to make sure it is you).
>>
>> Next, foo passes his private key to unrelated user thud on machine
>> grunt. thud installs the private key owned by foo. Can thud now
>> connect to user dokes on machine shme?
Very very stupid move.
>>
>> Next, replace the above ssh keys with PGP keys. Do the same answers apply?
What has PGP to do here? It is not used for connecting to machines. But yes,
your key pair is yours, and if anyone else gets ahold of it, then can reay any
mail you have or ever will encrypt with that key pair. Again a totally stupid
thing to do to let anyone get your private key. Anyone, including your
wife/lover/boss/National security agency.