Is it a bad idea to use the same private ssh key on multiple computers?

36

13

I recently bought a laptop from which I need to access the same remote hosts that I do from my desktop. It occurred to me that it might be possible to simply copy the private key file from my desktop to my laptop and avoid having to add a new key to the ~/.ssh/authorized_keys files on all the hosts I want to access. So my questions are:

  1. Is this even possible?
  2. Are there any non-obvious security implications?
  3. Sometimes I will log into my desktop from my laptop. If there were using the same key, would that cause any problems?

Jason Creighton

Posted 2009-08-05T00:32:37.790

Reputation: 463

2I suspect you mean authorized_keys, not known_hosts. The former is for incoming, the latter for outgoing. – Matthew Schinckel – 2009-08-05T01:43:34.080

Good catch. Fixed. – Jason Creighton – 2009-08-05T01:50:36.823

Answers

30

Yes, this is possible. Your private key isn't tied to a single machine.

Not sure what you mean by non-obvious, that's often subjective ;). It's not a bad idea at all if you make sure you have a very strong passphrase set, 20 characters at least.

There are no issues about connecting with the same key as your desktop. I would set up an ssh agent for your key on the laptop, and forward the agent to the desktop, so you'll be using that key on other systems you access from there.

From the ssh-agent man page on a Linux system:

ssh-agent is a program to hold private keys used for public key authentication (RSA, DSA). The idea is that ssh-agent is started in the beginning of an X-session or a login session, and all other windows or programs are started as clients to the ssh-agent program. Through use of environment variables the agent can be located and automatically used for authentication when logging in to other machines using ssh(1).

You would run this on your laptop, either the ssh-agent program on Linux/Unix (it comes with OpenSSH), or with puTTY agent if you're using Windows. You do not need the agent running on any remote systems, it purely keeps your private key in memory on the local system so you only have to enter your passphrase one time, to load the key in the agent.

Agent forwarding is a feature of the ssh client (ssh or putty) that simply persists the agent through to other systems through the ssh connection.

jtimberman

Posted 2009-08-05T00:32:37.790

Reputation: 20 109

1I don't quite understand what you're suggesting with regard to ssh agent forwarding. Could you elaborate on that point a bit? I should mention that I can't count on the desktop always being accessible when I need to use my laptop. – Jason Creighton – 2009-08-05T01:18:23.573

Updated the answer :) – jtimberman – 2009-08-05T01:28:47.130

10

I used to use a single private key across all of my machines (and some of them I am a user only on, not an admin), but recently changed this. It works having the one key, but means if you need to revoke the key (if it is compromised), then you will need to change it on all machines.

Of course, if an attacker gets access and is able to ssh into another machine, they can then get the key from that machine, and so on. But it makes me feel a little safer to know I can revoke just one key, and lock that machine out. It does mean I need to remove the key from the authorized_keys file, though.

Matthew Schinckel

Posted 2009-08-05T00:32:37.790

Reputation: 629

Sorry to necro an old post, but do you feel this would be mitigated by encrypting your private key with a password? Or in your case, was the password also compromised? – thirdender – 2014-11-05T23:57:54.893

1It would probably be mitigated by having a passphrase on the key. In actuality though, you could probably use ssh forwarding (using an agent), and then only have the one key per real machine you use, and actually have it password protected. – Matthew Schinckel – 2014-11-10T01:02:45.523

Asked: 2009-08-05T00:32:37.790

Viewed: 18 376 times

Active: 2009-08-05T14:45:30.993