I was wondering, is it considered safe to use the same SSH key for multiple sites? (eg. github, bitbucket, heroku, etc)?
Or is it recommended to generate a different SSH key for each website/usage?
Using ssh keys for multiple sites
Securityssh-keys
Related Solutions
If you have an active ssh-agent that has your id_rsa key loaded, then the problem is likely that ssh is offering that key first. Unfuddle probably accepts it for authentication (e.g. in sshd) but rejects it for authorization to access the company repositories (e.g. in whatever internal software they use for authorization, possibly something akin to Gitolite). Perhaps there is a way to add your personal key to the company account (multiple people are not sharing the same corp_rsa public and private key files, are they?).
The IdentitiesOnly .ssh/config configuration keyword can be used to limit the keys that ssh offers to the remote sshd to just those specified via IdentityFile keywords (i.e. it will refuse to use any additional keys that happen to be loaded into an active ssh-agent).
Try these .ssh/config sections:
Host {personalaccount}.unfuddle.com
IdentityFile ~/.ssh/id_rsa
IdentitiesOnly yes
Host {companyaccount}.unfuddle.com
IdentityFile ~/.ssh/{companyaccount}_rsa
IdentitiesOnly yes
Then, use Git URLs like these:
git@{personalaccount}.unfuddle.com:{personalaccount}/my-stuff.git
git@{companyaccount}.unfuddle.com:{companyaccount}/their-stuff.git
If you want to take full advantage of the .ssh/config mechanism, you can supply your own custom hostname and change the default user name:
Host uf-mine
HostName {personalaccount}.unfuddle.com
User git
IdentityFile ~/.ssh/id_rsa
IdentitiesOnly yes
Host uf-comp
HostName {companyaccount}.unfuddle.com
User git
IdentityFile ~/.ssh/{companyaccount}_rsa
IdentitiesOnly yes
Then, use Git URLs like these:
uf-mine:{personalaccount}/my-stuff.git
uf-comp:{companyaccount}/their-stuff.git
E.g. if I have multiple machines, I'd need to duplicate private keys, which I think is undesirable.
No, actually you don't. If you have multiple machines, you just create a separate private key on each one. For each private key, just upload the corresponding public key to GitHub using the same process.
Also, if my HDD go kaput, I'll lose my private key, which (I guess) is undesirable as well.
Not really; if you lose your private key, just generate a new one and upload the corresponding public key.
For what it's worth, you're right that duplicating a private key is highly undesirable. Ideally, a private key should be generated in one file (~/.ssh/id_rsa for example) and should never leave that file - that is, it should never be copied, moved, and especially not transferred over a network. (e.g. I exclude them from backups) Because of the nature of asymmetric authentication protocols, you only need to worry about keeping your private key out of the hands of others. If you go a bit overboard and you lose track of it yourself, it's generally not a big deal. (This is not to be confused with asymmetric encryption private keys, e.g. GPG keys, which you probably want to hold on to.)
Best Answer
You are only giving the public key to these sites. They can't do anything with this key, other than identifying that it is the same one. If you are concerned about your anonymity, use separate keys (and configure your ssh client to offer just one to each server, not all of them).
There is no risk of compromising your private key, as long as you use it correctly and don't let is leave your computer. Of course, if it is compromised somehow, it would compromise all your accounts there.
But the most probable scenario of compromising your key would be a trojan or similar on your computer, in this scenario all your other keys will be compromised as well. So using only one public key (per client computer) is enough here, too.