The general process is to generate a pair of public and private keys and upload the public key to the server for SSH connection.
Then, if I have to manage a large amount of servers, am I supposed to:
OR
I personally believe the first choice is good enough from the security perspective. Am I correct?
Thanks.
The general answer is that you likely will want to put the same personal public key on all servers/accounts you want to login in on. For all practical purposes it's more or less impossible to derive the private key from the corresponding public half.
Then there are a bunch of potential exceptions.
While it's normally a good rule to keep the private key passphrase protected that might be less doable while performing certain automated tasks. For that purpose you might also want to have a separate keypair with an unencrypted private key, to use towards those certain (hopefully restricted) accounts.
Assuming you mostly connect towards modern enough servers your personal ssh key might be of the ed25519 kind. You might then for compatibility reasons also need a secondary keypair of the RSA kind to be able to login to servers running an older version of OpenSSH. Except that in such a case it's probably good enough to go RSA all the way.
If you use ssh agent forwarding a lot there is a theoretical benefit in using separate keypairs, limiting the damage a malicious server can do. Except that I imagine this quickly becoming messy in practice. Probably better then to simply stay away from agent forwarding then.
