Yes, you can absolutely associate multiple public keys with a single SSH user account. This is a common practice in enterprise environments where users need access from multiple devices or require different key strengths for various use cases.
To set this up, simply append additional public keys to the ~/.ssh/authorized_keys file, each on its own line. For example:
ssh-rsa AAAAB3Nza... user@laptop1
ssh-rsa AAAAB3Nza... user@laptop2
ecdsa-sha2-nistp256 AAAAE2VjZH... user@mobile
While SSH doesn't natively support different home directories per key, you can achieve similar functionality using command= restrictions in authorized_keys:
command="rsync --server --sender -vlogDtpr . /custom/path/" ssh-rsa AAAAB3Nza... key-for-backups
Or more flexibly using authorized_keys_command in sshd_config:
Match User youruser
AuthorizedKeysCommand /etc/ssh/key-mapping-script %u %k %t
AuthorizedKeysCommandUser nobody
- Device-specific access control (revoke individual devices without affecting others)
- Key rotation without service interruption
- Different access levels from different locations
- Separate keys for automated processes vs interactive login
Here's a sample script (/etc/ssh/key-mapping-script) that implements directory redirection:
#!/bin/bash
user=$1
key=$2
key_type=$3
case $key in
"AAAAB3Nza...")
echo 'command="cd /projects/alpha; $SHELL" '$(cat /home/$user/.ssh/authorized_keys | grep "$key")
;;
"AAAAE2VjZH...")
echo 'command="cd /projects/beta; $SHELL" '$(cat /home/$user/.ssh/authorized_keys | grep "$key")
;;
*)
echo $(cat /home/$user/.ssh/authorized_keys | grep "$key")
;;
esac
When implementing multiple keys:
- Always use key comments to identify each key's purpose
- Set appropriate key restrictions (from, command, etc.)
- Regularly audit and rotate keys
- Consider implementing certificate-based authentication for large deployments
When configuring SSH servers, it's absolutely possible (and sometimes recommended) to associate multiple public keys with a single user account. The standard authorized_keys file format supports this by allowing multiple key entries - simply add each public key on a new line.
# Example authorized_keys file with multiple keys ssh-rsa AAAAB3NzaC1yc2E... user1@workstation1 ssh-ed25519 AAAAC3NzaC1lZDI... user1@mobile-device ecdsa-sha2-nistp256 AAAA... user1@backup-device
There are several compelling use cases for this configuration:
- Device-Specific Access: Different keys for laptop, desktop, and mobile devices
- Role-Based Permissions: Keys with varying command restrictions (using
command=options) - Key Rotation Strategy: Maintaining old keys during migration periods
SSH allows fine-grained control through options in the authorized_keys file:
# Key-specific environment variables and directory overrides environment="HOME=/custom/path1" ssh-rsa AAAA... key1 environment="HOME=/custom/path2" ssh-rsa AAAA... key2
For more complex scenarios, consider using Match blocks in sshd_config:
Match User username KeyAlias "work-key"
ChrootDirectory /restricted/work
ForceCommand /bin/work-script
Match User username KeyAlias "personal-key"
ChrootDirectory /home/username
When implementing multiple keys:
- Regularly audit and prune unused keys
- Implement key comments that identify the specific device/purpose
- Consider certificate-based authentication for large-scale deployments
Here's a bash script to manage multiple keys:
#!/bin/bash
USER="deploy"
KEY_DIR="/etc/ssh/authorized_keys.d"
AUTH_KEYS="/home/$USER/.ssh/authorized_keys"
# Clear existing keys
echo "# Auto-generated keys for $USER" > "$AUTH_KEYS"
# Add all current keys with timestamps
for key in "$KEY_DIR"/*.pub; do
echo "# Added $(date +%F) from ${key##*/}" >> "$AUTH_KEYS"
cat "$key" >> "$AUTH_KEYS"
echo >> "$AUTH_KEYS"
done