When configuring SSH key-based authentication across multiple servers, administrators face a fundamental architectural decision. Should you:

• Use a single private/public key pair across all machines (shared key approach)
• Generate unique key pairs for each server connection (per-machine approach)

Shared Key Pros:
- Simplified key management (only one private key to protect)
- Easier deployment (same public key on all servers)
- Convenient for personal development environments

Shared Key Cons:
- Single point of failure - compromised key affects all systems
- No granular revocation capabilities
- Violates principle of least privilege

Per-Machine Key Pros:
- Compartmentalized security (breach affects only one system)
- Enables precise access control
- Supports automated key rotation policies

1. Shared Key Setup:

# Generate single key pair
ssh-keygen -t ed25519 -f ~/.ssh/main_key

# Deploy to multiple servers
ssh-copy-id -i ~/.ssh/main_key.pub user@server1
ssh-copy-id -i ~/.ssh/main_key.pub user@server2

2. Per-Machine Key Strategy:

# Generate unique key for each server
ssh-keygen -t rsa -b 4096 -f ~/.ssh/server1_key -C "server1-access"
ssh-keygen -t rsa -b 4096 -f ~/.ssh/server2_key -C "server2-access"

# Configure SSH client (~/.ssh/config)
Host server1
  HostName 192.168.1.10
  User admin
  IdentityFile ~/.ssh/server1_key

Host server2
  HostName 192.168.1.20  
  User deploy
  IdentityFile ~/.ssh/server2_key

For enterprise environments, consider these enhancements:

# Example of forced command restrictions in authorized_keys
command="/usr/bin/rbash",no-agent-forwarding,no-port-forwarding ssh-ed25519 AAAAC3... user@client

Implement key rotation scripts:

#!/bin/bash
# Rotate keys every 90 days
OLD_KEY="$HOME/.ssh/server_key_$(date +%Y%m%d)"
NEW_KEY="$HOME/.ssh/server_key_$(date -d "+90 days" +%Y%m%d)"

ssh-keygen -t ed25519 -f $NEW_KEY
ssh-copy-id -i $NEW_KEY.pub user@server
mv ~/.ssh/server_key $OLD_KEY
ln -sf $NEW_KEY ~/.ssh/server_key

Based on security requirements:

• Personal/Lab Use: Single key with passphrase is acceptable
• Production Environments: Per-service keys with strict restrictions
• Critical Systems: Hardware-backed keys (Yubikey) with per-machine certificates

Always combine with:

# Mandatory SSH hardening
PubkeyAuthentication yes
PasswordAuthentication no
PermitRootLogin no
MaxAuthTries 3

When configuring SSH key-based authentication across multiple servers, developers often face a fundamental choice: whether to reuse a single key pair or generate unique pairs for each machine. This decision impacts security, maintenance overhead, and operational workflows.

Using one private/public key pair across all servers is the simplest implementation:

# Generate a single key pair (if you haven't already)
ssh-keygen -t ed25519 -f ~/.ssh/main_key

# Copy public key to multiple servers
ssh-copy-id -i ~/.ssh/main_key.pub user@server1
ssh-copy-id -i ~/.ssh/main_key.pub user@server2

Pros:

• Simplified key management
• Easier to revoke access (just remove one key)
• Convenient for personal development environments

Cons:

• Single point of failure - if private key is compromised, all servers are vulnerable
• No granular access control between servers

Creating unique key pairs for each connection offers better security isolation:

# Generate server-specific keys
ssh-keygen -t ed25519 -f ~/.ssh/server1_key -C "user@server1"
ssh-keygen -t ed25519 -f ~/.ssh/server2_key -C "user@server2"

# Configure SSH client to use specific keys
cat >> ~/.ssh/config <

# Example of environment-specific keys
ssh-keygen -t ed25519 -f ~/.ssh/prod_key -C "user@prod"
ssh-keygen -t ed25519 -f ~/.ssh/staging_key -C "user@staging"

# Example of adding keys to ssh-agent with timeout
ssh-add -t 8h ~/.ssh/prod_key

# Terraform example for deploying multiple keys
resource "aws_key_pair" "server_keys" {
  for_each   = toset(["web1", "db1", "cache1"])
  key_name   = "server-${each.key}-key"
  public_key = file("keys/${each.key}.pub")
}