Thank you so much for the detailed explanation. I ahve few queries, kindly reply.
a). Where does the generation of private/public key happen? because I believe the private/public key are generated by only 1 source? Or am I missing something here?
b) How would server B know the secret key? Or you mean both server A and server B will store a common secret key?
These keys generated just once and stored on each server. (Public key on Server A and Private key on Server B). To generate them you can use ssh-keygen tool on Linux or even online generator.
It should be hardcoded on both servers. Like $secret_key = 'sdfsdfwessf'; at the beginning of the file.
These keys generated just once and stored on each server. (Public key on Server A and Private key on Server B). To generate them you can use ssh-keygen tool on Linux or even online generator.
Wouldnt it be safe to generate the public/private key on every request? That way if a public key is leaked somehow, it cannot be reused.
It should be hardcoded on both servers. Like $secret_key = ‘sdfsdfwessf’; at the beginning of the file.
is hardcoding the right approach? Shouldnt dynamic secret keys be more safer?
You can’t generate them separately. They must be generated as pair.
I don’t think so. If someone will get your source code where secret key is stored that means he also can see an algorithm of dynamic generation. So no matter how this key is produced (statically or dynamically). You just should make it safe. Another problem with dynamic generation is how to sync result key between two servers.
Again, if someone will hack your server then he’ll see how you generate that pairs.
And no matter what he’ll actually do - just copy existing key or use your algorithm to generate new one.
This is a question of server security.