Publishing id_rsa.pub for easier setup of new environments?

RSA is specifically designed to allow you to share that public key, so yes, you can publish it. This is pretty similar to how x.509 (and SSL) with RSA certificates works.

Before publishing the file, actually look at it; the only things that need to be in there are the keyword "ssh-rsa" and the base64-encoded key. You may want to keep it to that (I believe this is the default now).

This is true whether or not the key has a passphrase. A passphrase encrypts the private key and does not affect the public key.

Ensure, as always, that your key is sufficiently entropic and large. If it is generated by a broken PRNG it might be predictable. However, publishing this doesn't present much additional risk, since if the keyspace is that small an attacker could simply try with all the keys in the enumerated keyspace until they get the right one.

I suggest using a 4096-bit key (specify -b 4096), so that it will be more difficult than usual (the default is 2048) for someone to invert your public key into a private one. That is the only significant risk in doing this, and it isn't a very big one since the algorithm is specifically designed to make it impractical.


It already is. :) Just put ".keys" on the end of your Github profile URL, like so:

https://github.com/tjmcewan.keys


While as a rule I don't recommend putting your own specific configuration in public project repositories (assuming the repo is for everyone and your configuration is for you alone, it's just a little rude), the security implications are minimal.

The only reasonable attack vector is somehow using that public key to identify you in some malicious context. What that could be is beyond me, but the public key does uniquely identify the private key, though it doesn't give any hints as to its origin.

There's a corner case attack vector which probably doesn't apply, but if you'll recall the fiasco with Debian accidentally breaking the openssl PRNG, any ssh key generated on an affected system is easily predictable and can be identified by its public key. So in that case, publishing the public key could land you in trouble. Or more appropriately, using that key for anything could land you in trouble.


Yes, you can publish your SSH pubkey. And you can publish a fingerprint of the server using the SSHFP record in DNS! This could be really handly, for example, if you need to update / change a server's SSH key.