Blog | G5 Cyber Security

SSH Keys: One per User vs. Multiple per Host

TL;DR

Generally, one SSH key per user is the better practice for security and manageability. While multiple keys per host are possible, they add complexity without significant benefit in most cases.

Why One Key Per User?

  1. Security: If a single key is compromised, it only affects one user account. With multiple keys per host, compromise of the host could expose all associated accounts.
  2. Auditing & Revocation: It’s much easier to track and revoke access when each user has their own key. You can quickly disable a user’s access by removing their key from authorized_keys files across your systems.
  3. Simplicity: Managing one key per user is simpler for both users and administrators.
  4. Automation: Key management tools (like Ansible, Chef, Puppet) work more effectively with a one-key-per-user model.

How to Implement One Key Per User

  1. Key Generation: Each user should generate their own SSH key pair on their local machine.
    ssh-keygen -t rsa -b 4096

    This creates a private key (e.g., ~/.ssh/id_rsa) and a public key (e.g., ~/.ssh/id_rsa.pub). Never share the private key!

  2. Key Distribution: Copy the user’s public key to the authorized_keys file on each server they need access to.
    ssh-copy-id username@server_address

    Alternatively, manually append the public key to ~/.ssh/authorized_keys on the server.

  3. Permissions: Ensure correct permissions on the user’s SSH directory and authorized_keys file.
    chmod 700 ~/.ssh
    chmod 600 ~/.ssh/authorized_keys

Multiple Keys Per Host – When Might It Be Considered?

There are limited scenarios where multiple keys per host might be considered, but these are less common:

Risks of Multiple Keys Per Host

Best Practice Summary

  1. Stick to one SSH key per user whenever possible.
  2. Use strong passwords or passphrases for your private keys.
  3. Regularly review and revoke unused keys.
  4. Consider using a cyber security key management system for larger deployments.
Exit mobile version