4

I have a desktop and laptop that I use for development. I generated an ssh key on the primary machine (desktop) to my vps which uses a passphrase. In terms of best practices or security concerns, is it better to generate a new ssh key on my laptop to the same vps, or should I just copy the ssh keys from the desktop to the laptop.

Everything i've read on the topic simply explains how to copy ssh keys from one computer to another. I haven't seen anything explaining the pros/cons of generating a new key vs copying an existing one. (both machines are used solely by me).

darkpool
  • 169
  • 1
  • 1
  • 6

3 Answers3

5

As long as your private key is secured using a good quality pass phrase it is safe to copy it from one machine to another.

user9517
  • 115,471
  • 20
  • 215
  • 297
4

I agree with https://unix.stackexchange.com/questions/208495/ssh-key-authentication-with-multiple-computers. You can do any one, but each one has its pros and cons.

I would prefer to create a new SSH private key for every trusted machine. That way, if one is compromised only the key for that machine needs replacing. Copying private keys around could also increase the chance of somebody else getting access to it. It basically becomes a single point of failure. There is a reason why sites like BitBucket recommend their users to replace their SSH keys every year.

keplerian
  • 176
  • 5
0

Copying the key elsewhere increases its exposure to a third party gaining access. If you're reusing keys and it gets compromised you have no way to know which workstation has been compromised. I would highly recommend having a set of keys for each workstation so it's easy to revoke keys without losing access elsewhere.

Since you're using keys instead of a passphrase to login to your server I would highly recommend disabling password authentication on your SSH server. This will help prevent brute force attacks against your SSH service. Make sure you've already successfully logged in with your key or you'll get locked out.

$ sudo nano /etc/ssh/sshd_config

Then in the config file find the line #PasswordAuthentication yes

And change it to PasswordAuthentication no

Test your config file to ensure there are no errors (no output means no errors)

$ sudo sshd -t

Then restart your SSH daemon (assuming systemd)

$ sudo service ssh restart
Ryan
  • 21
  • 3