74

This question is similar to SSH public key authentication - can one public key be used for multiple users? but it's the other way around.

I'm experimenting on using ssh so any ssh server would work for your answers.

Can I have multiple public keys link to the same user? What are the benefits of doing so? Also, can different home directories be set for different keys used (all of which link to the same user)?

Please let me know if I'm unclear.

Thanks.

Community
  • 1
Russell
  • 887
  • 1
  • 7
  • 7

2 Answers2

106

You can have as many keys as you desire. It's good practice to use separate private/public key sets for different realms anyway, like one set for your personal use, one for your work, etc.

First, generate two separate keypairs, one for home and one for work:

ssh-keygen -t rsa -f ~/.ssh/id_rsa.home
ssh-keygen -t rsa -f ~/.ssh/id_rsa.work

Next, add an entry to your ~/.ssh/config file to pick the key to use based on the server you connect to:

Host home
Hostname home.example.com
IdentityFile ~/.ssh/id_rsa.home
User <your home acct>

Host work
Hostname work.example.com
IdentityFile ~/.ssh/id_rsa.work
User <your work acct>

Next, append the contents of your id_rsa.work.pub into ~/.ssh/authorized_keys on the work machine, and do the same for the home key on your home machine.

Then when you connect to the home server you use one of the keys, and the work server you use another.

Note you probably want to add both keys to your ssh-agent so you don't have to type your passphrase all the time.

Phil Hollenback
  • 14,947
  • 4
  • 35
  • 52
  • This would work even if id_rsa.work.pub and id_rsa.home.pub were planted on the same server right? The reason is I might be connecting to a server from different computers, so I'm wondering if it makes sense to have different keypairs for each computer even if they're connecting to the server as the same user. Thanks. – Russell Jan 12 '11 at 21:48
  • 2
    Absolutely! On the server side, ssh will check all the public keys in the authorized_keys file until it finds a match. So you can put all the keys in the same authorized_keys file on the server no problem. – Phil Hollenback Jan 12 '11 at 21:54
  • 1
    @PhilHollenback "ssh will check all the public keys in the authorized_keys file until it finds a match" - you mean it keep sending challenges to the client for each public key until the client proves it can decrypt one? Do you have any references for that? (genuinely interested) – aaa90210 Apr 02 '18 at 23:08
  • Hi, what is where do I find it? – Vladimir Despotovic Apr 28 '21 at 08:49
  • @VladimirDespotovic that's just a placeholder for whatever your work account name is. In my example I use work acocunt and home acocunt, but those could be any two different accounts. – Phil Hollenback May 06 '21 at 19:23
6

It makes lots of sense to have multiple users' keys going to one user. Common reasons are:

  • backup
  • git (e.g. Push URL: git+ssh://git@git-server/~/repos/MyProject)
  • rsync
  • common access to an app

As far as having different homedirs, you can change them per key by prepending environment="HOME=/home/user1" for user1's key in the authorized_keys file. See man authorized_keys.

Try it out, YMMV.

MikeyB
  • 39,291
  • 10
  • 105
  • 189