Confused regarding ssh keys on linux

Question

I have few doubts regarding using private/public key on linux.

Suppose i have two linux boxes A and B.

I want to use password less logins to B from any computer.

so on A i did this

ssh-gen -t rsa and it made two files

id_rsa and id_rsa.pub

Then i copied id_rsa.pub to B ~/.ssh/A_id_rsa.pub and then

cat A_id_rsa.pub >> authorized_keys

Now i have these questions

1. Suppose i have another computer C where i also want to have passwordless login but i want to use key phrase to protect the private key. so can i generate another key using ssh-gen -t rsa with different name and use that or i have to delete the previous key

2. The other thing is for password less logins do need to do anything with keys from B to A or its always from A to B

3. So the private key will always stay on host computer only? i have seen that AWS gives the private key for login. then why is that. Beuase for putting A public key to B someone needs to access B. which is not possible for first time. so does it mean we can login with either public key or private key

Answer 1

In a quick line or two:

The keys somewhat work like (very roughly): you need the public key to decrypt what is encrypted by private key and vice-versa. To be more precise, http://en.wikipedia.org/wiki/Public-key_cryptography has way better information to start with.

So to answer the questions: The private key is not normally tied to a computer. You could copy the private key from, say A to C and could login by using it from C.

You could generate multiple keys on a single host, one key-pair for each set of hosts. Similarly, you could generate keys from multiple hosts, each host publishing it's key to the target computer's (B in this example) 'authorized_keys' file.

Ideally, the private key should be as secret as possible. While the SSH or key-management would not force having the key on one computer, it should be limited to a single system as a best practice. Having said that, as far I know there is really nothing that prevents copying the private key around, say for backup or migration to a new system. In other words, the private key file is like the password, it could be literally used from any system to login.

Answer 2

1. Yes, you can generate a key pair on C and do the same that you did for A:

   cat C_id_rsa.pub >> authorized_keys

2. The keys will only allow logins from A to B.

3. Yes the private key will stay on the host computer. I believe AWS automatically puts the public key on computer B while it creates the virtual box.