You are not logged in.
- Topics: Active | Unanswered
#1 2014-02-25 06:09:03
- ngoonee
- Forum Fellow
- From: Between Thailand and Singapore
- Registered: 2009-03-17
- Posts: 7,358
SSH keys for single user with multiple machines
A conceptual question, I've always assumed SSH keys to be identity markers (hence I, ngoonee, would have a SSH private key and public key which verifies that I'm who I say I am on the Internet).
As I add more machines to my network, though, I've been using the same SSH keys on all of them. Even some smartphone apps I'm using now use SSH keys to authenticate. Which got me thinking, are SSH keys supposed to be machine-specific, user-specific, or specific to a single combo of both (hence users A and B on machines 1 and 2 would have 4 combinations, ie. 4 keys).
I know there's probably not a 'right' answer to this (is there), but its been bugging me. Anyone?
Allan-Volunteer on the (topic being discussed) mailn lists. You never get the people who matters attention on the forums.
jasonwryan-Installing Arch is a measure of your literacy. Maintaining Arch is a measure of your diligence. Contributing to Arch is a measure of your competence.
Griemak-Bleeding edge, not bleeding flat. Edge denotes falls will occur from time to time. Bring your own parachute.
Offline
#2 2014-02-25 06:19:05
- jasonwryan
- Anarchist
- From: .nz
- Registered: 2009-05-09
- Posts: 30,426
- Website
Re: SSH keys for single user with multiple machines
I use multiple keys; it is easy enough to manage them using keyring, and it means that I am able to compartmentalize them according to use case: work (which I obviously have a professional interest as well as personal in protecting) home (one for each box), and then keys for specific tasks (eg., automated backups, acess to particular services like github, mercurial etc).
This means that if one key is compromised, the others are unaffected and I can revoke the compromised key and, after cleaning up the mess as best I can, generate another and move on.
The only system I employ is to give each key a meaningful name (having multiple keys named id_{d,r}sa doesn't scale at all) and a policy of only adding the minimum necessary keys to each box's keyring; again, entering all the passphrases with any frequency helps manage this tendency.
I am also very careful about the key on my android as I see this as the most obvious risk: losing your phone is a pain; losing your phone and potentially relinquishing the key on it would be catastrophically asinine... 
Offline
#3 2014-02-25 06:57:38
- WonderWoofy
- Member
- From: Los Gatos, CA
- Registered: 2012-05-19
- Posts: 8,414
Re: SSH keys for single user with multiple machines
I use multiple keys; it is easy enough to manage them using keyring...
Are you referring to keychain, the wrapper around ssh-agent and gpg-agent?
Offline
#4 2014-02-25 07:09:25
- jasonwryan
- Anarchist
- From: .nz
- Registered: 2009-05-09
- Posts: 30,426
- Website
Re: SSH keys for single user with multiple machines
jasonwryan wrote:I use multiple keys; it is easy enough to manage them using keyring...
Are you referring to keychain, the wrapper around ssh-agent and gpg-agent?
Yes: end of the day brain fade... 
Offline
#5 2014-02-25 08:07:50
- /dev/zero
- Member
- From: Melbourne, Australia
- Registered: 2011-10-20
- Posts: 1,247
Re: SSH keys for single user with multiple machines
Each user account on each machine has a ssh private key; whenever you want to ssh from that account to any other account (usually on a different machine), you put that user's public key in the destination account's authorized_keys file.
Last edited by /dev/zero (2014-02-25 08:08:49)
Offline
#6 2014-02-25 08:13:29
- ngoonee
- Forum Fellow
- From: Between Thailand and Singapore
- Registered: 2009-03-17
- Posts: 7,358
Re: SSH keys for single user with multiple machines
Looks like everyone uses different keys for every user/machine combination then. Always resisted this due to laziness to go back through sourceforge/github and the like to update my keys.... probably should get round to that soon.
Allan-Volunteer on the (topic being discussed) mailn lists. You never get the people who matters attention on the forums.
jasonwryan-Installing Arch is a measure of your literacy. Maintaining Arch is a measure of your diligence. Contributing to Arch is a measure of your competence.
Griemak-Bleeding edge, not bleeding flat. Edge denotes falls will occur from time to time. Bring your own parachute.
Offline
#7 2014-02-25 14:27:24
- chaonaut
- Member
- From: Kyiv, Ukraine
- Registered: 2014-02-05
- Posts: 382
Re: SSH keys for single user with multiple machines
i have:
dsa & rsa keys for my private machines (all with totally encrypted storage);
one rsa key for accessing some machines at my job;
separate rsa key for importing & using on misc machines with unencrypted storage.
— love is the law, love under wheel, — said aleister crowley and typed in his terminal:
usermod -a -G wheel love
Offline
#8 2014-02-25 20:38:10
- Leonid.I
- Member
- From: Aethyr
- Registered: 2009-03-22
- Posts: 999
Re: SSH keys for single user with multiple machines
Looks like everyone uses different keys for every user/machine combination then. Always resisted this due to laziness to go back through sourceforge/github and the like to update my keys.... probably should get round to that soon.
In short, SSH keys are like GPG keys (actually, they are interchangeable so you can use GPG keys to authenticate to an SSH server). So, whether or not to have multiple SSH keys is not a security decision, but rather a policy one. Having a separate keypair for every account/machine is clearly an overkill. It does not add any security, only a chore when it's time to rekey.
For example, if you are at a university and use supercomputers, it makes sense to have 1 keypair for all of them, as well as your bitbucker/guthub account. OTOH, you can use a separate SSH keypair for root accounts on remote machines.
Arch Linux is more than just GNU/Linux -- it's an adventure
pkill -9 systemd
Offline