if i generate ssh keys on a local machine to a remote machine - can i use the same key on aother box (and if the remote system puts the key in as "valid" for the second box in their authorized_keys file") - will this work? We are investigatine for a DR machine. Thanks
If you used ssh-keygen -t rsa ..., then you should have generated a file named id_rsa.pub. You can copy this file to another server and then use the command:
ssh-keygen -i -f filename >> authorized_keys
This will allow you use the same key on multiple machines.
Yes Micheal, you can use the same key for the same user across multiple machines.
Is it a good idea to do so?
No. You're killing your security. If any gets just one of your keys all systems with that user are compromised.
Make a key for each user.
BUT! A DR machine is different. If that DR machine is essentially the other host "rebuilt" on the fly (scripted, recovered, mirroed, etc), then using the whole environment including keys is generally the expected idea to come up quickly at DR site.
So, yes and no, but in this case - for DR, the answer is probably yes, depending of course.
We are the people our parents warned us about --Jimmy Buffett
I agree with most of what has been said here. But it is important to understand how (Private Public Keys) PPK keys work.
ssh-keygen generates a pair of keys keys: A private key (e.g. .ssh/id_rsa) and a corresponding public key (e.g. .ssh/id_rsa.pub). The private key must be kept secret and stored in a secure manner by the key's owner. The public key may be distributed freely to any system to which the owner requires access. The public key, on its own, is useless - only the holder of the private key can use it.
For automated processes you have little option but to maintain multiple private keys - and each server should have it's own instances of those key (certainly in the Active/DR example). But there are more secure ways of managing keys.
SSH provides a powerful tool for minimising the number of keys required by individual users for interactive access to multiple keys. Forward Authentication. In this type of setup each individual maintains a single instance of a personal private key (I keep mine on a USB stick) and distributes the corresponding public key to every system that he or she requires access to. Forward Authentication validates the keys back to the original source... even allowing multi-hop access accross any number of systems. Such a setup can also be used for automated processes - but in the case of a DR you may lose access to a single instance of the private key.
In my situation, my private key follows me everywhere I go (literally; it is in my pocket!). With a product such as PuTTY (also kept on my USB stick) and given any suitable desktop PC, I can access all my servers from almost anywhere. And my private key does not have to be stored on any of them.
