I have a handful servers where I login regularly and started to created separate ssh-keys for each client-server pair instead of the standard practice of just one ssh-key per client.
The basic idea
If you only have one ssh-key and it get accidentally (or intentionally by your nemesis) itโs quite a chore to hunt down all the places where you used that key to change it and check for unauthorized access. Instead we create one ssh-key for each client-server pair.
In theory
Say you have a client and two servers cleverly named Server1 (10.0.0.10) and Server2 (10.0.0.11).
First you create a directory under ~/.ssh called keys and in this directory you create two new keys by running ssh-keygen -f [email protected] and ssh-keygen -f [email protected].
Then you update your ~/.ssh/config and add IdentityFile ~/.ssh/keys/%r@%h. This will make your ssh-client check for a user/host-specific key when you connect to a server. We use both %r (remote username) and %h (hostname) to be able to have separate ssh-keys for different users on a host.
In practice
Your ~/.ssh/config file might look like this when youโre done:
IdentityFile ~/.ssh/keys/%r@%h
host server1
hostname 10.0.0.10
user mrfoo
host server2
hostname 10.0.0.11
user mrfoo
In conclusion
Good luck! ๐