[hartator]

What's the point of having different ssh key per server?

You are .pub is meant to be shared; even publicly. It's fine to have one ssh key for everything. It's also hard to think about a scenario where one ssh key in your machine is compromised, but not the others.

[bheadmaster]

> What's the point of having different ssh key per server?

Identity protection perhaps. A public key could reveal that the same person is accesing two or more servers. Different keys per server hide that information.

[plingbang]

That's a good point. Moreover, someone built[1] an SSH server that prints your name when you connect (because GitHub publishes SSH public keys of every user):

    ssh whoami.filippo.io

[1]: https://words.filippo.io/ssh-whoami-filippo-io/

[berkes]

> What's the point of having different ssh key per server?

I do have some use-cases where I use different ssh-keys per server/cluster:

- Setting up client's machines allow me to nuke the keypair when work is done and I no longer have access. Customers trust me to do this - they trusted me to set up their machines already.

- Belonging to different projects: so that when the project is finished, handed over or closed down, I can safely delete all keys associated with that, knowing for sure I'm not deleting keys that I did need after all.

- Having different levels - testing these levels. I set up servers in a way that there's sysadmins who have root/sudo, and `deploy` users that can only deploy apps (e.g. capistrano, ansible, k8s and so on) and maybe `sudo systemctl restart my-app` and/or read certain /var/log/some-log. I want to be sure that something does/does not work because of the correct keys, and not because one of the 12+ keys in my ssh-agent happens to be used instead.

So, in my case, I do have a lot of ssh-keys that I juggle with.

I wish there were just a version of ssh-agent/ssh-add though, with better UX. Looks like maybe viking is that?

[jamiesonbecker]

I agree!

People should generate at least a single ssh key per client device. (On Userify, rotating your key is just a matter of pasting the new public key into your keybox in your dashboard.) One per client device will let you revoke/rotate only that key when it's compromised. This also helps keep you from copying the private key somewhere else (which you should never do).

It does look like this wants to be a replacement for ssh-agent/ssh-add; also check out GNU keychain by Daniel Robbins, which is in most distro repos.

(blatant plug - we actually developed Userify for these three use cases, especially on cloud instances with constantly changing IP's)

[gunapologist99]

One key per laptop.

[scaryclam]

Some segregation is useful. If a key I use for work never touches my personal machine, that's a good thing. If my work laptop gets stolen I don't want to have to cycle my personal key, etc.

I guess the point I'm making is more for making decent keys to create sensible separation points, rather than having one for each machine though. Allowing work vs home vs foo vs bar

[jamiesonbecker]

Right. We usually recommend a single key per client device (laptop, desktop, etc), because that way you can rotate that key if it gets lost/stolen without changing your other devices as well. This way, those private keys stay totally local to the device and never actually need to move, which is much safer. (I work at Userify.)

[dolmen]

Here are a few use cases for having multiple SSH key per server: - use a different SSH key for each client machine: if the client machine is lost/compromised, just remove that key from the server's authorized_key - multiple accounts for the same server. This is useful for example to use multiple GitHub accounts

My github-keygen tool allows to manage your ~/.ssh/config for those GitHub use cases.

https://github.com/dolmen/github-keygen

[ozim]

Reads like some misguided attempt at improving security.

Maybe OP also moves private keys around and doesn't know private key ideally should never leave single machine and if you setup new laptop to connect to your servers one should generate new private key and upload new pub key and for backup ideally one should have spare laptop already set with keys.