Passwordless login via SSH from multiple computers

You either follow that procedure for multiple machines or copy the private key. Depending on your personal security requirements and workflow one might be easier or "better" than the other.

If your private key is compromised you would need to remove it from the authorized_keys file and/or revoke it. In addition, depending on your workflow, you would need to enroll a new key for multiple machines. Having one key per machine would likely be more secure but also potentially more management overhead.


I use one key per host, the public keys have the name of the host they were generated on as a comment for that reason. You can use ssh-copy-id to install the key quickly.

If you have lots of different hosts you work on, it may be better to get a smartcard and a reader for it (there are readers in USB keyfob format, with enough space to hold the card inside), which allows you to take your private key with you easily, and makes sure it cannot be copied.


There are multiple 'passwordless' methods, some requiring copying keys around, other have different options:

SSH CA: you setup an SSH CA and distribute the CA Public Key to the servers. Then using the SSH CA's Private Key you sign the Public Keys you want to allow access to those systems that trust the CA. This has a number of benefits:

  • Additional keys don't have to be distributed over and over again
  • You can issue timed signed keys to limit the validity and thus exposure of key pairs, all without changing anything on the destination servers
  • You can limit what a user can do by adding extra parameters to a signature such as what usernames are allowed

as a downside, if you sign a public key for an indefinite period, the only way to undo that is to create a new CA or blacklist the specific public key on every individual system.

Other option: Kerberos. This is much more involved to setup (but made easier since systems like FreeIPA package it up quite nicely). Instead of logging in everywhere, you log in once which gives you a Kerberos ticket. This ticket can then be used to authenticate to various systems like websites, fileshares and SSH servers.

Your own option:

Use simple key pairs (a private key and a public key). Either copy the private key to every system you want to connect from and the public key to every system you want to connect to, or create unique pairs per system and copy every public key to every system you want to connect to.

Tags:

Ssh

Ssh Keys

Recent Posts