24

When you want to have public key based ssh logins for multiple machines, do you use one private key, and put the same public key on all of the machines? Or do you have one private/public key pair for each connection?

Nick
  • 4,433
  • 29
  • 67
  • 95
  • @Jim Zajkowski: I'm not sure how to reply to your comment but this is for you. Jump boxes allow controlled access to internet facing servers that are in a DMZ (behind a firewall). Say you have "server_a" and "server_b". A is in the network and B is outside the network. Outside customers connect to B. The traffic that goes from A to B needs to be controlled and vice-versa. So you add a jump box that has two network cards. One that connects it to the internal network (A) and one that connects it to the external network (B). So from A you go to the jump box and then to B. One of the benefits of –  Jun 01 '10 at 06:54
  • @IMTheNachoMan - I've converted your answer to a comment, though the best place for it would be as a comment directly within the answer holding the comment to which you're responding (that got me a bit dizzy). If you have any questions, pop over to meta and ask away. Thanks for the clarification regardless. – Kara Marfia Feb 27 '11 at 18:58
  • https://security.stackexchange.com/questions/40050/what-is-the-best-practice-separate-ssh-key-per-host-and-user-vs-one-ssh-key-for – sancho.s ReinstateMonicaCellio Dec 12 '17 at 05:09

5 Answers5

27

I use one key per set of systems that share a common administrative boundary. This limits the number of machines that get popped if a key is compromised, whilst not completely overwhelming my capacity to store and manage several thousand keys. Different passphrases on each key means that even if all your private keys are stolen and one key is compromised, the rest don't go down the toilet with it. Also, if you do do something stupid (like copy a private key onto an untrusted machine), again you don't have to rekey everything, just the machines associated with that key.

womble
  • 95,029
  • 29
  • 173
  • 228
4

The public key doesn't matter much, since, by definition, it can be publicised. So the only issue is the privacy of your private keys. They're on your own machine, and all together, so if one is compromised, it's likely that they'll all be compromised. Therefore, multiple keypairs is just more work for the same effect.

The only time I would use different keys is for different accounts or different roles, which by definition shouldn't have complete overlap in access.

Lee B
  • 3,380
  • 1
  • 17
  • 15
  • Private keys are not necessarily "together", even when they are within the boundary of a single system. They might be stored in different protected filesystem locations or encrypted containers. Moreover, each key can be protected by different passphrase. – ᄂ ᄀ Jul 01 '21 at 08:15
2

If I understand properly, each server is going to have its own public key.

For a given user, you can generate one key and use it everywhere, so long as the private key is replicated across to all initiating hosts. (This would happen automatically via network-mounted home directories and a directory-based authentication system such as OpenLDAP since the user will always be "the same" regardless of what workstation they login from.)

Outside of a directory-based user system, I think it's a Bad Idea™ to use the same keys everywhere - you end up with a net reduction in system security, as anyone who can get a key from any of the workstations can then authenticate as that user to the remote server.

Another alternative, emplyed by several large corporations (and I'm sure small ones, too) is to never allow a "user" to use pre-shared keys, but rather to have then login to a "jump" or "hub" box, su to the appropriate connecting user, and then SSH from there to the servers they need to manage.

Also, if you use a management system like HP's Server Automation platform, then remote administration of managed servers becomes a more simplified process.

warren
  • 17,829
  • 23
  • 82
  • 134
  • 1
    Everyone should keep their keys encrypted. Can you explain the security benefits of the "jump box," because I don't see it. – Jim Zajkowski Nov 03 '09 at 05:52
  • as implemented at several banks I've been exposed to, and elsewhere, the idea behind a "jump box" is that you cannot access servers in a DMZ or subnet etc with your "normal" user. You connect to the jump box, then in a logged form, su to the management user to connect out into the other network. – warren Nov 03 '09 at 07:17
  • 2
    Security Benefit == 0, in other words. – womble Nov 03 '09 at 09:20
  • @womble - perhaps that is correct. But it's what a lot of paranoid companies do. Since the `su` session is logged, though, it's auditable. – warren Nov 03 '09 at 10:09
  • 1
    why are only the `su` sessions auditable and not the others? – João Portela Jan 10 '11 at 12:40
  • @JoãoPortela I used '`su`' as a stand-in for whatever kind of 'jump' activity would happen – warren Sep 25 '15 at 14:15
1

As others have said, although the idea of multiple key pairs may seem more secure, if there is a chance they will be used in such a way that they are all in the same place then it is just more hassle and not more secure. Multiple passphrases would make it more secure but also a big headache trying to remember which passphrase goes with which key, and which key goes with which server.

The most reasonable answer to me would be the one where it was suggested doing that ONLY if it involves separate administrative roles without much overlap. Such that it could be different people handling the different roles, or on different workstations or whatever. In that case you have more unique things to deal with for each different role anyways so it's more justifiable.

fred
  • 31
  • 1
0

For ease of managing multiple SSH capable servers, you may want to check out cssh. You can combine cssh with passphrased SSH keys to greatly enhance your ability to manage multiple servers simultaneously.

Greeblesnort
  • 1,739
  • 8
  • 10
  • 2
    How do you manage to get "crazy bugs" in a glorified for loop? – womble Nov 03 '09 at 05:38
  • Something about that seems very deadly-- If you make a mistake you screw up all of your servers at once instead of just one! – Nick Nov 03 '09 at 08:37
  • @Nick - true, but that's pretty much always the case when I'm in charge of the box =) @womble - huh? to what "crazy bugs" do you refer? – Greeblesnort Nov 03 '09 at 15:57
  • 1
    On the top of the project page you linked to: "NOTE: I will be getting back on to this project really soon so that I can fix the crazy bugs in it." The fact that notice is still there two years later doesn't increase my faith in it any further. – womble Aug 04 '11 at 23:37