Sharing SSH Keys across multiple hosts

Question

I am building a service that is distributed across multiple machines that logs into other target machines and does an action (write to a file, run a shell script, etc.).

Currently, I have this service configured to use username and password as a form of authentication for ssh-ing to the target machines, but it requires some additional bootstrapping on the target machine to get it working. I want to move to a public/private key authentication model.

My question is, since this service is distributed across multiple hosts, is it bad practice to store the private key in a secure location (say using AWS KMS or some similar service), and have each of my machines read from that secured location, or should I have a private key for each of my machines?

Answer 1

You can use blockchain-based decentralized PKI system EMCSSH: http://emercoin.com/EMCSSH

DISCLAIMER: I'm author of this system, will answer to any questions

Answer 2

I would answer that it's better to have a private key for each machine.

This way if a private key gets pilfered, only one machine is compromised, instead of all of them.

Additionally, you only need to keep the private key protected. Public keys are, by definition, public. Feel free to post your public key on Twitter, if that fancies you. It will have zero impact.

Answer 3

Having all of your machines get the ssh keys from a central location is not inherently worse than their all getting their username and password from a central location. However, the connection over which they get the ssh keys should be secure, which may mean that you have to have at least one key - the one that gets to your central location - stored locally on each machine.