Is it ok to share private key file between multiple computers/services?
You should definitely have separate private keys per origin. Basically that means there should generally be a single copy of each private key (not counting backups). It's ok to use the same private key from closely related machine, in situations where breaking into one basically gives you access to the other (for example if they're in each other's shosts.equiv
). Don't use the same private key on machines in different realms (e.g. home and work), never share a private key between two users, and never share a private key between a laptop and any other machine.
For the most part, I don't see the point in having different private keys for different destinations. If a private key is compromised, all other private keys stored in the same directory will surely be compromised as well, so there would be added complication for no security benefit.
If you follow these principles, each key pair identifies one (machine, user) pair, which makes authorization management easier.
I can think of two exceptions to the general rule of a single private key per origin:
- If you have a passwordless key that gives access only to a specific command on a specific machine (e.g. an automated backup or notification mechanism), that key must be different from the general shell access key.
- If some machines are intermittently connected, you might have an old private key alongside a new private key, until you get around to finish deploying the new key.
I don't know what's the best way but I can tell which my way is.
As a sysadmin I use a different key to access each server/service as root. This way, if a key is lost or compromised I limit the risk to one single server and I don't need to update all my services with brand new keys.
Speaking of users, I use a different key for each one of them. With that key the user can access the service he needs as an unprivileged user. This way, I can easily grant or revoke access to single services to each user. In case the user looses his key I can delete it from all the services and limit the risk of unauthorized access.
I believe you could use the private key anywhere as long as you put a passphrase on it, meaning to say if you would like to share your private key with few machines, say laptop 1, 2, desktop 1, 2, should be fine.
From my experience, my main machine is my desktop that I does most of my job with its powerful processor, but at times I need to use my laptop on mobile, troubleshooting in data center and stuff, so, I could still login to any hosts that I have my public key resides in.