I have a handful servers where I login regularly and started to created separate ssh-keys for each client-server pair instead of the standard practice of just one ssh-key per client.
The basic idea
If you only have one ssh-key and it get accidentally (or intentionally by your nemesis) itโs quite a chore to hunt down all the places where you used that key to change it and check for unauthorized access. Instead we create one ssh-key for each client-server pair.
In theory
Say you have a client and two servers cleverly named Server1 (10.0.0.10)
and Server2
(10.0.0.11)
.
First you create a directory under ~/.ssh
called keys and in this directory you create two new keys by running ssh-keygen -f [email protected]
and ssh-keygen -f [email protected]
.
Then you update your ~/.ssh/config
and add IdentityFile ~/.ssh/keys/%r@%h
. This will make your ssh-client check for a user/host-specific key when you connect to a server. We use both %r
(remote username) and %h
(hostname) to be able to have separate ssh-keys for different users on a host.
In practice
Your ~/.ssh/config
file might look like this when youโre done:
IdentityFile ~/.ssh/keys/%r@%h
host server1
hostname 10.0.0.10
user mrfoo
host server2
hostname 10.0.0.11
user mrfoo
In conclusion
Good luck! ๐