Google Cloud SSH Authentication

Question

I just recently started to use Google Cloud Platform and I'm using SSH for several purposes. As security is highly important in this project, I'm trying to figure out how the SSH authentication works (specifically with GCP). I'm following Google's instructions of how to generate and upload the RSA key to the instance in the cloud:

1. I'm generating a public/private keys using PuTTyGen
2. I'm uploading the public key to the instance
3. The SSH connection is opened by loading the private key file in the client.

My confusion comes from the fact that I was sure that the server uses its private key for the key exchange but what is uploaded actually is the generated public key.

Can anyone please share his/her knowledge or a link to an article explaining how the key exchange works?

Answer 1

If you will google your questions, you will find an explanation in the first links. As for example here

The private key must be known only by you.

The private key is retained by the client and should be kept absolutely secret.

The public key you put on all devices where you need to authenticate.

The associated public key can be shared freely without any negative consequences.

And they also offer a brief explanation on how the authentication works.

When a client attempts to authenticate using SSH keys, the server can test the client on whether they are in possession of the private key. If the client can prove that it owns the private key, a shell session is spawned or the requested command is executed.

Edit:

It seems that there is another key pair created during ssh negotiation by Diffie-Hellman algorithm, which is actually used to encrypt the traffic. Read this thread for a more complete explanation.

Some more explanations here