I have a handful servers where I login regularly and started to created separate ssh-keys for each client-server pair instead of the standard practice of just one ssh-key per client.

The basic idea

If you only have one ssh-key and it get accidentally (or intentionally by your nemesis) itโ€™s quite a chore to hunt down all the places where you used that key to change it and check for unauthorized access. Instead we create one ssh-key for each client-server pair.

In theory

Say you have a client and two servers cleverly named Server1 ( and Server2 (

First you create a directory under ~/.ssh called keys and in this directory you create two new keys by running ssh-keygen -f [email protected] and ssh-keygen -f [email protected].

Then you update your ~/.ssh/config and add IdentityFile ~/.ssh/keys/%r@%h. This will make your ssh-client check for a user/host-specific key when you connect to a server. We use both %r (remote username) and %h (hostname) to be able to have separate ssh-keys for different users on a host.

In practice

Your ~/.ssh/config file might look like this when youโ€™re done:

IdentityFile ~/.ssh/keys/%r@%h

host server1
user mrfoo

host server2
user mrfoo

In conclusion

Good luck! ๐Ÿ™‚