Isn't it dangerous to use SSH keys to login to an unknown/compromised server?
Say I provide someone with my public SSH key, the id_rsa.pub and he/she installs it on a server that is compromised, and I am asked to login.
Does the login process involve sending my private key to the compromised server?
If yes, then the attacker now has access to my private SSH key, and that is scary.
If no, then why do I see this line in ssh -vvv output:
debug1: Server accepts key: pkalg ssh-rsa blen 277
This implies that the private key was sent to the server, and it accepted it.
Am I misunderstanding the problem?
NO, your private key is NEVER "sent" or transmitted anywhere.
Public-key cryptography is not like traditional username/password authentication.
Your public key is just that -- public. It is perfectly safe to share it. Sending your public key to someone may give away your identity (people can know that it's from you because it's a unique number), but it can never allow someone else to impersonate you or authenticate as you. You might as well post your public key on SuperUser or on your webpage over regular HTTP; it's perfectly safe, and perfectly useless if someone doesn't have your private key.
Your private key is just that -- private. It only resides on systems you own and trust (hopefully), and should always be encrypted with an unlock password for maximum safety, in case someone gains physical access to the system it's stored on. The private key is never transmitted by any properly-implemented security program that is behaving according to the rules of public-key cryptography. That is, unless you have a program on your local system that is compromised and is capable of reading your private key (and the private key is not encrypted by a password), your private key is safe, always.
Messages are signed with the private key, on your computer, before they're sent to the remote server. So, rather than sending the private key to the remote server, you are sending a message that was encrypted with the private key. But these two things are not the same: you can't derive the private key from the signed message; that's part of the point of public key cryptography.
In short, even if a hostile attacker obtains your public key and obtains messages signed by your private key, they still will be unable to obtain your actual private key, and thus, they cannot impersonate your credentials or use your private key to authenticate "as you".
You are misunderstanding the process.
The key is not sent, rather a "challenge" is constructed by encrypting something with the public key that can only be decrypted with the matching private key.
If you do get asked for your password, or you do X forwarding to a compromised server, then there is a potential security risk.