Public/private key

Question

I just watch this video https://youtu.be/ZhMw53Ud2tY and the question I have is if I have to generate a public/private key pair for each server I’m looking to login to or if I just generate one pair and use that for each server. Somehow that last option seems to be like using the same password for each account.

Is it wise to store the keys in a password manager btw? I’m using keepass as password manager.

[if you mean SSH, which is not the only kind of login using keypairs: Q&A from 2013 just necroed over on security.SX](https://security.stackexchange.com/questions/40050/best-practice-separate-ssh-key-per-host-and-user-vs-one-ssh-key-for-all-) — dave_thompson_085, Mar 24 '21 at 00:50

score 1 · Answer 1 · answered Mar 22 '21 at 21:10

1

If you:

Keep your private key only on your workstation(s) (good ol' common sense)
Put a good passphrase on your private key (protects you from a hacker stealing your private key)
Use and configure agent forwarding properly (reduces the need to keep your private key on other devices)

you should not need a keypair per server.

Think about it - should your workstation be compromised, the hacker is going to take all your keys - whether it's 1 pair or 20 pairs for 20 servers you log into.

answered Mar 22 '21 at 21:10

Brandon Xavier

2,022
13
15

Have you by any chance ever worked with keepass before? – vespino Mar 22 '21 at 21:14
I'm aware of it but have not used it personally. I prefer passbolt. ;-) – Brandon Xavier Mar 22 '21 at 21:16

score -1 · Answer 2 · answered Mar 22 '21 at 18:38

-1

if I have to generate a public/private key pair for each server

Well, if you do not do this, are you ok that a hacker taking over one server has access to them all? We can not define what your risk profile looks like.

Somehow that last option seems to be like using the same password for each account.

Because it is, just more complicated - keys generally are not "Password" :)

Is it wise to store the keys in a password manager btw?

Wrong question. Is it POSSIBLE? Because Keys normally are SIGNIFICANTLY longer than passwords and a pw manager with a length limit... may simply not work.

answered Mar 22 '21 at 18:38

TomTom

51,649
7
54
136

Guess I’ll have to watch a few more tutorials on the subject, the answer is obviously yes, I do need to create more than on pair. Keepass supports files, so it’s not about the length, but more what you do with I guess. – vespino Mar 22 '21 at 18:51
1

The reason for using public-key authentication of SSH client is precisely that a compromised or (more generally) malicious server gets only the public key which **cannot be used to impersonate the client to any other server**, as an attacker can with a shared password. This is such a good idea Diffie and Hellman got a Turing award for it. – dave_thompson_085 Mar 23 '21 at 01:52

Public/private key

2 Answers2