What can someone do with your SSH Private Key? [closed]

What exactly can someone do with my Private Key after they used my laptop to create a SSH Public Key?

After reading a few websites, it looks like they can access a server pretending they are me when using their own computer.

Is this right? Can they do anything else? Anything about my own laptop?

Also, is it possible for me to change my laptop's private key, or do I have to accept the fact someone else will have my Private Key forever?

Thank you and I look forward to hearing your replies!


Solution 1:

Being able to produce the private key corresponding to a public one is what identifies you to a system.

An SSH private key can and should be protected by a good passphrase. Crassly, the strength of this passphrase is what decides how much time you have from the moment someone gets a hold of your private key until you can expect that any system where you haven’t yet revoked your public key may be compromised.

Revoking your key from a system is done by removing it; usually from your ~/.ssh/authorized_keys file in a smaller deployment. It’s probably not a bad idea to have a ready-made automation script that does this to all computers accessible with a particular keypair. In larger deployments you may have a key management system that allows for such operations in a centralized way.

Solution 2:

What exactly can someone do with my Private Key after they used my laptop to create a SSH Public Key?

Nothing.

If that is the the only thing they did while using your laptop, nothing. Simply creating a keypair does not automatically grant any access, to either the laptop itself or any other system.

You need to explicitly configure remote systems (including your laptop) to accept that specific private key for authentication (typically by adding the associated public key to an ~/.ssh/authorized_keys file) before that private key will grant access and becomes useful.

Adding your public key typically requires password-based access to the account first (and potentially additional dual/multi-factor authentication methods).

  • Simply delete that key pair (to prevent you from starting to use it)
  • Potentially they could have added that public key to the ~/.ssh/authorized_keys file on your laptop (that is one place somebody using your laptop could have added the public key they created without knowing your password). Check and empty that file.
  • Generate a new SSH key pair when you want to start key based authentication.

Note: When somebody gets a copy of a private key you've been actively using that becomes a different scenario...