0

I just watch this video https://youtu.be/ZhMw53Ud2tY and the question I have is if I have to generate a public/private key pair for each server I’m looking to login to or if I just generate one pair and use that for each server. Somehow that last option seems to be like using the same password for each account.

Is it wise to store the keys in a password manager btw? I’m using keepass as password manager.

1

2 Answers 2

1

If you:

  • Keep your private key only on your workstation(s) (good ol' common sense)
  • Put a good passphrase on your private key (protects you from a hacker stealing your private key)
  • Use and configure agent forwarding properly (reduces the need to keep your private key on other devices)

you should not need a keypair per server.

Think about it - should your workstation be compromised, the hacker is going to take all your keys - whether it's 1 pair or 20 pairs for 20 servers you log into.

2
  • Have you by any chance ever worked with keepass before?
    – vespino
    Commented Mar 22, 2021 at 21:14
  • I'm aware of it but have not used it personally. I prefer passbolt. ;-) Commented Mar 22, 2021 at 21:16
-1

if I have to generate a public/private key pair for each server

Well, if you do not do this, are you ok that a hacker taking over one server has access to them all? We can not define what your risk profile looks like.

Somehow that last option seems to be like using the same password for each account.

Because it is, just more complicated - keys generally are not "Password" :)

Is it wise to store the keys in a password manager btw?

Wrong question. Is it POSSIBLE? Because Keys normally are SIGNIFICANTLY longer than passwords and a pw manager with a length limit... may simply not work.

2
  • Guess I’ll have to watch a few more tutorials on the subject, the answer is obviously yes, I do need to create more than on pair. Keepass supports files, so it’s not about the length, but more what you do with I guess.
    – vespino
    Commented Mar 22, 2021 at 18:51
  • 1
    The reason for using public-key authentication of SSH client is precisely that a compromised or (more generally) malicious server gets only the public key which cannot be used to impersonate the client to any other server, as an attacker can with a shared password. This is such a good idea Diffie and Hellman got a Turing award for it. Commented Mar 23, 2021 at 1:52

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .