Do I need to generate one private key to each server, or can I spread my private key among them?

Question

Let's say I have multiple computers and multiple servers.

One computer has a private key, and its public key is spread among all of the servers.

Can I just copy my private key from this computer among my other computers to connect to the servers, or do I have to generate private keys on each computer and then authorize their public keys on each server?

If not, is there a better way to do it (that would save me some time)?

Thanks.

Answer 1

This seems to be a question where ssh-agent is the answer.

Let's assume that there is one machine that is currently accessible via the console called console-box, and a few other machines remote-box-1,remote-box-2, ... remote-box-n.

First generate a key on the console-box

(console-box)$ ssh-keygen -t rsa -b 2048
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 

Then distribute the public key onto the remote boxen.

(console-box)$ eval $(ssh-agent) 
(console-box)$ ssh-add ~/.ssh/id_rsa
Enter passphrase for ~/.ssh/id_rsa: 
Identity added: ~/.ssh/juanje_rsa
(console-box)$ ssh -A remote-box-1
(remote-box-1)$ ssh -A remote-box-2
 ...
(remote-box-n)$ ssh -A console-box

As soon as the agent is set up on console-box and agent forwarding option is activated, you can freely ssh/scp between your many development and deployment boxes without ever typing a password.

Answer 2

To understand this question, its best to know a little about asymmetric encryption. In asymmetric encryption, you have a public key and a private key. Together they make a "keypair." The public key is used to encrypt. The private key is then used to decrypt. Note the private key can only decrypt files that were encrypted with the matching public key.

So now we know that there are 2 files needed to make everything work.

Can I just copy my private key from this computer among my other computers to connect to >the servers, or do I have to generate private keys on each computer and then authorize >their public keys on each server?

The answer simply is, yes. You can copy the public or private key to any computer and use it with any OS. As long as you have the public key, you can encrypt messages. If you have the private key, then you can decrypt those files afterwards. Its just a matter of the files being present on the computer.

If not, is there a better way to do it (that would save me some time)?

While theres no technical reason you cant copy and reuse the same keypair everytime, this is not a good practice in terms of security. For example, if you have a forest of 100 servers all sharing the same keypair, if 1 is compromised or hacked, the rest of the 99 servers are also compromised. If you have a unique keypair on each server, then they would need to compromise all 100 servers to get the same effect. The simple act of using a unique keypair everytime increases the amount of work for an attacker by orders of magnitude.