16

This is a newbie question from a Windows guy but when I work with Git or other software relying on (Open)SSH, should I generate a new SSH key for every workstation and then upload the public key to GitHub / BitBucket etc. or should I be reusing some previously generated one? Or does it matter at all?

Borek Bernard
  • 50,745
  • 59
  • 165
  • 240

2 Answers2

13

You should generate a pair of keys for each workstation. This way, if a key is compromised you will be able to revoke permission for that key only, without affecting other workstations

Raffaele
  • 20,627
  • 6
  • 47
  • 86
  • [No such thing as a stupid question:](https://en.wikipedia.org/wiki/No_such_thing_as_a_stupid_question) I'm a bit unsure how to understand the term **workstation** in the context: I'm accessing a **my_repo** on `gitlab.com` from my local workstation using `key_1` I've generated. Now, when accessing the **server** at work (using `key_2`) I should have one more `key_3` that in turn accesses **my_repo** on `gitlab.com`? – ilam engl May 28 '21 at 10:40
  • 1
    A workstation is a physical or virtual machine, an Android device or in general any operating system with a user account and a SSH client – Raffaele May 29 '21 at 11:11
0

Yes you should generate a new ssh key for every workstation. Also make sure to specify a passphrase for your private key and keep it safe. Never share it.

Aurélien Bottazini
  • 3,249
  • 17
  • 26
  • 1
    OK thanks. Can you explain why I should do that as opposed to reusing a single key pair? – Borek Bernard Apr 07 '12 at 13:37
  • 1
    Imagine you use the same password on every website. If one day someone knows your password, he can access all your accounts on all your websites. It is the same with ssh keys. If you use the same key everywhere, if one of your computer is compromised, you have to replace the key everywhere. And it makes it difficult to know which computer was compromised too. And you can make security mistakes (file permissions for example) when you transfer your key from one computer to another. – Aurélien Bottazini Apr 07 '12 at 13:45
  • A private key is something you **really** want to keep private. While there's nothing which prevents you from uploading it to other machines, the more machines it's on, the greater the risk of it being compromised. Thus, the recommendation to use separate keys on each workstation. When using SSH you can place all the public keys in the authorized_keys file of the hosts you need to access. I'm sure github and bitbucket have a similar way to specify multiple keys. – wadesworld Apr 07 '12 at 14:34