Server admin sent me a private key to use. Why?
In my mind now what would happen is I would send them my public key which could be placed inside their authorized keys folder.
What's "in your mind" as what should now happen is correct.
Email is not a secure channel of communication, so from a standpoint of proper security, you (and they) should consider that private key compromised.
Depending on your technical skill and how diplomatic you want to be, you could do several different things. I would recommend one of the following:
Generate your own key pair and attach the public key to an email you send to them, saying:
Thanks! Since email isn't a secure distribution method for private keys, could you please put my public key in place, instead? It's attached.
Thank them and ask them if they object to you installing your own keypair, since the private key they have sent should be considered compromised after having been sent over email.
Generate your own keypair, use the key they sent you to log in the first time, and use that access to edit the
authorized_keys
file to contain the new public key (and remove the public key corresponding to the compromised private key.)
Bottom line: You won't look like an idiot. But, the other admin could be made to look like an idiot very easily. Good diplomacy could avoid that.
Edit in response to comments from MontyHarder:
Neither of my suggested courses of action involves "fixing things without telling the other admin what he did wrong"; I just did so subtly without throwing him under the bus.
However, I will add that I would also follow up (politely) if the subtle clues weren't picked up:
Hello, I saw you didn't respond to my comment about email as an insecure channel. I do want to be confident that this won't happen again:
Do you understand why I'm making this point about the secure handling of private keys?
Best,
Toby
Should I just ignore the key he sent me and ask them to put my public key inside their authorized folder?
Yes, that's exactly what you should do. The whole point with private keys is that they are private, meaning only you have your private key. Since you received that key from the admin, he also has it. So he can impersonate you any time he wants.
Whether the key was sent to you via a secure channel or not is irrelevant: even if you have received your private key in person, that wouldn't change anything. Though I agree with the comments that e-mailing sensitive cryptography keys is the cherry on the cake: your admin doesn't even pretend there's some kind of security policy in place.
To me it looks like the admin generated a private/public key pair for you, added the public key to the authorized_keys and send you the private one. This way you only have to use this private key for your ssh sessions with the server. No need to generate a key-pair yourself or to send the admin a public key to your possibly corrupted (always think worst case :P) private key.
However, I would not trust the private key sent to you via unencrypted mail.
My approach would be: use the private key to log in once, add your own public key to the authorized_keys on the server (replacing the original public key) and throw away this email-private-key. You may then thank the admin, that he/she/it provided you with the private key but you would prefer such information/keys not to be send via email (/at all).