Is it a bad idea to use the same private ssh key on multiple computers?
Solution 1:
Yes, this is possible. Your private key isn't tied to a single machine.
Not sure what you mean by non-obvious, that's often subjective ;). It's not a bad idea at all if you make sure you have a very strong passphrase set, 20 characters at least.
There are no issues about connecting with the same key as your desktop. I would set up an ssh agent for your key on the laptop, and forward the agent to the desktop, so you'll be using that key on other systems you access from there.
From the ssh-agent man page on a Linux system:
ssh-agent is a program to hold private keys used for public key authentication (RSA, DSA). The idea is that ssh-agent is started in the beginning of an X-session or a login session, and all other windows or programs are started as clients to the ssh-agent program. Through use of environment variables the agent can be located and automatically used for authentication when logging in to other machines using ssh(1).
You would run this on your laptop, either the ssh-agent program on Linux/Unix (it comes with OpenSSH), or with puTTY agent if you're using Windows. You do not need the agent running on any remote systems, it purely keeps your private key in memory on the local system so you only have to enter your passphrase one time, to load the key in the agent.
Agent forwarding is a feature of the ssh client (ssh
or putty) that simply persists the agent through to other systems through the ssh connection.
Solution 2:
I used to use a single private key across all of my machines (and some of them I am a user only on, not an admin), but recently changed this. It works having the one key, but means if you need to revoke the key (if it is compromised), then you will need to change it on all machines.
Of course, if an attacker gets access and is able to ssh into another machine, they can then get the key from that machine, and so on. But it makes me feel a little safer to know I can revoke just one key, and lock that machine out. It does mean I need to remove the key from the authorized_keys file, though.