ssh-copy-id

[Karl Auer]

On Wed, 2016-12-28 at 06:38 +0000, thufir wrote:
> reading the fine manual:
> The key you need to transfer to the host is the public one.
> the "host" refers to the remote?

Yes.

> I thought I read to copy the private key...?

No. There is a reason it's called the "private" key.

You don't give it to anyone, ever. You protect it with a good
passphrase.

If you back it up, you back it up only after encrypting it again (i.e.,
packaging it in another layer of encryption, for example "gpg -c
my_private_key_file") and using a different (long, strong)
key/passphrase.

If you lose it or it gets compromised - or even if you just suspect it
may have been compromised - you cut a new key as soon as you can and
distribute the new public key.

Maybe you read that you have to copy the private key to each system you
will be connecting *from*. That may be, but the waters are murky as to
whether that is a good idea.

Some would say don't do that - have different keys for everything. Some
would go further and say have different passphrases for all your
different keys as well. Others say that some level of convenience is
essential, because a forgotten/lost passphrase is just a bad as a lost
key, so passphrases have to be stored, and stored securely, and it all
gets recursively/fractally complicated.

Use your judgement. The main thing is long, strong passphrases.

My own judgement: I have a very long and irritatingly inconvenient
passphrase, and I use it on several different keys. I change it at
irregular intervals. Any passphrase that I don't wish was shorter every
time I use it, I replace with a longer one :-)

Regards, K.

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Karl Auer (kauer at biplane.com.au)
http://www.biplane.com.au/kauer
http://twitter.com/kauer389

GPG fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B
Old fingerprint: 3C41 82BE A9E7 99A1 B931 5AE7 7638 0147 2C3C 2AC4