How do you manage your ssh key pair(s)?

This is some research for a blog entry I am writing, wondering how everybody elses uses SSH key pairs 🔐

· · Web · 1 · 1 · 0


My goal is to ensure that loss of control of a key should only put one local/remote pair at risk. That makes my answer roughly: "One per local account per remote account group."

I'm a little more flexible when "remote" is also on my LAN or if the remote machines are part of a scaling cluster with identical users.

Each user that uses an ssh client on my machines at home has a single key used to reach corresponding users on my other local machines. If there's a service running behind sshd, that will usually get its own (per local user) keys.

For leased remote machines, I have one key per local user to reach each remote account. My leased machines usually have at least two accounts: one admin account with sudo rights and one app-manager account with limited perms and no sudo. For groups of identical machines/VMs the authorized_keys are usually identical for convenience.

I plan to switch to certificate auth wherever possible once I finish rebuilding my home Certificate Authority.

Sign in to participate in the conversation

So come take a drink and drown your sorrows, and all of our fears will be gone 'til tomorrow. We'll have no regrets and live for the day, in Nancy's Harbour Cafe