I keep them straight with the filenames

Doing this not only gives me finer-grain control over which machines have access to which others (e.g. don’t have to give that server account the permission to SSH into *everything* else), but also lets me recover from a compromise more quickly: if one machine is compromised, I need revoke only *that* machine’s key without having to change all the others (so long as said others are client-only machines: it’s different if they are also servers which might have been accessed maliciously after the compromise).

I adopted this stance after suffering from an incident at a (now defunct) institutional server on which I had an account. I trusted that institution’s sysadmins enough to place a copy of my one-and-only SSH private key on their server, but then they employed a new sysadmin who managed to mess up their CIFS mount in a way that ignored all access permissions and made everyone’s entire home directories (including my key) available from a public website for which access logs were not kept. I then had to assume it was compromised and frantically chase down every machine I’d ever used it on to ensure it was revoked. So after that I adopted a “one key per machine” policy and set authorized_keys on an as-needed basis, instead of assuming it was a good idea to be able to get into anywhere from anywhere.

@Carl, it’s 2024 and I think most of this is still applicable! Maybe I should re-post with a new date