I understand that ssh keys are a cryptographically secured way of authenticating yourself to a service or to another person, but beyond that I’m frankly at a bit of a loss.
What confuses me is that I see many developers mention their public key on their site, but how does one have just one key? I have a few for different things. And if my computer crashed, I would have to generate new ones. I obviously can’t remember the key.
Do people just save it somewhere, the sequence of numbers/letters, like in their email? And then use that one key for everything? How does someone get a personal key?
I just feel like I’m missing something about this whole theater of operations.
I mean, we walked through RSA in university; I understand the principle, but I never used it in practice until I signed up for github and heroku and few months ago and they forced me to generate some keys, something I didn’t even realize I could do before then.
5
When you generated your key pair, you created 2 keys: a private and a public (often id_rsa and id_rsa.pub).
The main point to remember is that nobody should have access to your private key apart from you. If it does fall into the hands of someone else, then you should remove your public key from any system that uses it to identify you. This way, nobody can pretend to be you.
That said, how you organise it is up to you, in my opinion. Some people have one key for everything, and just upload the public key everywhere; others will have separate keys for separate purposes.
It’s a good idea to have an encrypted backup of your keys (as with all your important files). That said, even if you do lose a private key, it’s usually not that big of a deal, as long as you can get the corresponding public key on all systems that use it changed to a new one.
0
I normally keep my key in the .ssh directory where is was generated. I have backups of my home directory that included the key.
When password protected, the keys become part of a two factor authentication. The password is something you know, while the key (or the device that holds it) is something you have. Without both you cannot authenticate.
The public/private key pairing allows you to freely share the public key without significant risk. Using the same key in multiple locations make your life simpler as you don’t have to manage multiple keys. If your key and password are compromised, access to all sites using that key may be possible. Having multiple keys may not improve security much if they are all stored on the same device and have the same password.
Where I do use additional keys, is where I have restricted use keys. Depending on what they are used for, they may not be password protected, although other security will be in place.
As a protection against key compromise having an alternate key and device allows, the use of an alternate access mechanism to disable access fro the compromised key. It is possible (likely) that the compromised key could be used to block access to at least one site.
If you do use multiple keys, you can configure ssh to use the appropriate key for each site. The remote server may allow you to configure what access the key permits.