Is it reasonable to have multiple SSH keys?

So far I've created a separate SSH key for each server I need to login to (for each purpose, to be more accurate). I did it out of a sense of security, just like different passwords to different sites.

Does having multiple SSH keys actually improve security? All of them are used from the same machine, are located in the same ~/.ssh, most even have the same passphrase.

So... should I give up the whole system and just use one SSH key for everything?

[UPDATE 2015-08-05] Github publishes your public key, and your SSH client may send all of your public keys to every server, depending on configuration, thusly, if you are concerned with a 3rd party SSH server knowing your identity when connecting, you should use multiple SSH keys, though in my opinion it is paranoid.

1

5 Answers

SSH keys use public-key cryptography. That means that what you're installing on all those servers is just your public key, which you want the whole world to know. The only actual secret is your private key that you keep locked down on your own machine. So yeah, I'd say you're wasting your time.

4

Ultimately this is up to you. You need to evaluate your threat model. How likely is it that one of your keys is compromised? If one key is compromised, how likely is it that the other keys will be compromised? What are the consequences of your keys being compromised? What is the cost (including time) of managing multiple keys?

Considering factors such as these should help you decide if you really need separate keys. On my personal machines on my local network I usually don't bother with extra overhead in trying to manage multiple keys. However, outside of my network I would use different keys each with a unique passphrase. But that is just my personal opinion.

2

No it is not a waste of time to use more than one key.

More diversity == less risk.

That statement of Spiff's is incorrect.

The point is the public key grants access to the private key holder and no one else.

The risk to be concerned about here is authentication. A rogue site forwards authentication requests to your agent task. If you use only one key, then even when only one key is loaded in your agent, all sites are open to the rogue.

This has nothing to do with the passphrases, you could have several keys with the same passphrase that would make no difference here. Because it is not the passphrase that is compromised.

The rogue forwards challenges to your agent and can connect to all sites for which you have keys loaded.With different keys, one key loaded -> one site at risk.

I say good for you, you picked other peoples privacy over your own laziness.

P.S. the moral of the story is be wary of agent forwarding

2

I think there is one good use-case for multiple public keys, and that's if you have private keys stored on computers in different areas of trust. So I generally keep one key that is my "work" key, and another that is my "home" key, simply because the private key for my "home" stuff is not stored on my work computer and vice versa.

2

I think reasonable can be considered from two different angles: security and convenience.

When we create a SSH key pair, we are asked for providing a passphrase to add a more layer to protect the private-key, as following:

$ ssh-keygen -t rsa -b 4096 -C 'With_OR_Without_Passwd'
Generating public/private rsa key pair.
Enter file in which to save the key (/Your/HomeDir/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):

Although there is an explicit prompt asking for passphrase, but some (or many) people still focus more on the information in brackets: (empty for no passphrase), and following that suggestion.

Combining whether or not using multiple SSH key pairs and whether or not enter additional passwd, we have at least four ways to go. And let's assume all key-pairs and the config file are stored in ~/.ssh/.

Now let't consider security first.

The following table gives a simple rank about security (larger number means more secure):

Security Ways to go 1 One SSH key-pair (NO passwd) 1 Multi SSH key-pairs (NO passwd) 2 One SSH key-pair (WITH passwd) 2 Multi SSH key-pairs (WITH passwd) (SAME passwd) 3 Multi SSH key-pairs (WITH passwd) (DIFF passwds)

Without passwd, if our system is intruded by someone, then the breaker can get all of our private-keys and config, also the authentication of remote servers. So in this situation, One key-pair and Multi key-pairs are the same. The most secure way is to use different passwds for different ssh key-pairs.

Then let't think about convenience.

But more key-pairs and more passwds also make our life less convenient, the following table gives a simple rank about security (larger number means more secure):

Convenient Security Ways to go 5 1 One SSH key-pair (NO passwd) 4 2 One SSH key-pair (WITH passwd) 3 1 Multi SSH key-pairs (NO passwd) 2 2 Multi SSH key-pairs (WITH passwd) (SAME passwd) 1 3 Multi SSH key-pairs (WITH passwd) (DIFF passwds)

So, in general situation, if we have to trade off with security and convenience at the same time, we can multiply the two scores, and maybe One SSH key-pair (WITH passwd) is the good one to choose.

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password

Post as a guest

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

You Might Also Like