Is using an ssh key effectively more secure than whitelisting only your own static IP address (or manually adding it when you connect from somewhere else)?
Because It seems to me that if one uses an ssh key he/she would need to back it up (in case your computer had issues). Then you have to protect your key, and install it again on every device that needs to connect to the server.
All the while if you want to connect from an insecure computer / temporary location via password, you could log into your host service (usually behind a 2FA), temporarily whitelist that IP address, log in via ssh and then remove the whitelist rule right after from the firewall (once you're connected). Even if anyone was actually able to steal your password, he wouldn't be able to use it at all.
That to me feels like a more safe approach, but I'm by no means expert and I'm likely missing something here.
Whitelisting your own IP is also an effective way to secure your server. However, you risk getting locked out of your server, since your IP address is not permanent.
If you are a modem user, each time you connect to the Internet, you'll be assigned an IP address that's available. If you are a broadband user, your IP address will be reassigned when the ISP change their infrastructure.
So I guess they both have pros and cons. I prefer using SSH keys, but make sure you make several copies and store them in different places.
What I do is I create & manage a firewall using my host's website (rather than on the server itself). This way I can always log in to said host using my credentials+2FA and add/remove the IP address I want to allow SSH from anytime.
I think your miss the point that you are not limited in number of keys allowed to connect on your server. authorized_keys file can contain multiple public keys.
I apply this rule : NEVER copy my private key anywhere. The more you copy it, the more it is exposed. Dont make copy on USB sticks for example.
I think you should use an unique keypair per computer you use.
Your laptop was stolen ? No problem, just remove your key from authorized ones.
Furthermore, I generate my keypair on place.
IP restriction is good but its very contraignant. 2FA seems better cause you can use it from anywhere.
The only problem I encounter with this method is that you need to have access to an authorized host to authorize your new key. Easily solved if you have a KVM access to you server on your hosting provider.
See it has 1 password per computer. :)
You can also use a system of SSH proxy/bastion if you have multiple servers to manage and allow only your proxy to connect to your servers.
So overall this way it would be pretty much the same, since both methods involve going through the hosting provider to authorize operations from a new device.
Using keys is probably easier over time, I ought to consider that.
Is using an ssh key effectively more secure than whitelisting only your own static IP address (or manually adding it when you connect from somewhere else)?
Because It seems to me that if one uses an ssh key he/she would need to back it up (in case your computer had issues). Then you have to protect your key, and install it again on every device that needs to connect to the server.
All the while if you want to connect from an insecure computer / temporary location via password, you could log into your host service (usually behind a 2FA), temporarily whitelist that IP address, log in via ssh and then remove the whitelist rule right after from the firewall (once you're connected). Even if anyone was actually able to steal your password, he wouldn't be able to use it at all.
That to me feels like a more safe approach, but I'm by no means expert and I'm likely missing something here.
Whitelisting your own IP is also an effective way to secure your server. However, you risk getting locked out of your server, since your IP address is not permanent.
If you are a modem user, each time you connect to the Internet, you'll be assigned an IP address that's available. If you are a broadband user, your IP address will be reassigned when the ISP change their infrastructure.
So I guess they both have pros and cons. I prefer using SSH keys, but make sure you make several copies and store them in different places.
What I do is I create & manage a firewall using my host's website (rather than on the server itself). This way I can always log in to said host using my credentials+2FA and add/remove the IP address I want to allow SSH from anytime.
I think your miss the point that you are not limited in number of keys allowed to connect on your server. authorized_keys file can contain multiple public keys.
I apply this rule : NEVER copy my private key anywhere. The more you copy it, the more it is exposed. Dont make copy on USB sticks for example.
I think you should use an unique keypair per computer you use.
Your laptop was stolen ? No problem, just remove your key from authorized ones.
Furthermore, I generate my keypair on place.
IP restriction is good but its very contraignant. 2FA seems better cause you can use it from anywhere.
The only problem I encounter with this method is that you need to have access to an authorized host to authorize your new key. Easily solved if you have a KVM access to you server on your hosting provider.
See it has 1 password per computer. :)
You can also use a system of SSH proxy/bastion if you have multiple servers to manage and allow only your proxy to connect to your servers.
So overall this way it would be pretty much the same, since both methods involve going through the hosting provider to authorize operations from a new device.
Using keys is probably easier over time, I ought to consider that.
Another solution may be to use something like a Yubikey and 2FA.
If you loose it, 2FA protect you the time you remove it everywhere.
You can take it with you and it cant be copied by someone.