Public/private key

Question

I just watch this video https://youtu.be/ZhMw53Ud2tY and the question I have is if I have to generate a public/private key pair for each server I’m looking to login to or if I just generate one pair and use that for each server. Somehow that last option seems to be like using the same password for each account.

Is it wise to store the keys in a password manager btw? I’m using keepass as password manager.

if you mean SSH, which is not the only kind of login using keypairs: Q&A from 2013 just necroed over on security.SX — dave_thompson_085, Commented Mar 24, 2021 at 0:50

Brandon Xavier · Accepted Answer · 2021-03-22 21:10:04Z

1

If you:

Keep your private key only on your workstation(s) (good ol' common sense)
Put a good passphrase on your private key (protects you from a hacker stealing your private key)
Use and configure agent forwarding properly (reduces the need to keep your private key on other devices)

you should not need a keypair per server.

Think about it - should your workstation be compromised, the hacker is going to take all your keys - whether it's 1 pair or 20 pairs for 20 servers you log into.

answered Mar 22, 2021 at 21:10

Brandon Xavier

2,03214 silver badges15 bronze badges

Have you by any chance ever worked with keepass before?
– vespino
Commented Mar 22, 2021 at 21:14
I'm aware of it but have not used it personally. I prefer passbolt. ;-)
– Brandon Xavier
Commented Mar 22, 2021 at 21:16

Add a comment |

TomTom · Accepted Answer · 2021-03-22 18:38:18Z

-1

if I have to generate a public/private key pair for each server

Well, if you do not do this, are you ok that a hacker taking over one server has access to them all? We can not define what your risk profile looks like.

Somehow that last option seems to be like using the same password for each account.

Because it is, just more complicated - keys generally are not "Password" :)

Is it wise to store the keys in a password manager btw?

Wrong question. Is it POSSIBLE? Because Keys normally are SIGNIFICANTLY longer than passwords and a pw manager with a length limit... may simply not work.

answered Mar 22, 2021 at 18:38

TomTom

52k7 gold badges56 silver badges139 bronze badges

Guess I’ll have to watch a few more tutorials on the subject, the answer is obviously yes, I do need to create more than on pair. Keepass supports files, so it’s not about the length, but more what you do with I guess.
– vespino
Commented Mar 22, 2021 at 18:51
1

The reason for using public-key authentication of SSH client is precisely that a compromised or (more generally) malicious server gets only the public key which cannot be used to impersonate the client to any other server, as an attacker can with a shared password. This is such a good idea Diffie and Hellman got a Turing award for it.
– dave_thompson_085
Commented Mar 23, 2021 at 1:52

Add a comment |

Stack Exchange Network

Public/private key

2 Answers 2

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged
public-key
private-key
.

Hot Network Questions

Public/private key

2 Answers 2

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged public-keyprivate-key.

Related

Hot Network Questions

Not the answer you're looking for? Browse other questions tagged
public-key
private-key
.