ssh key questions

1. Yes, this is the case. The machine with the private half of the key can authenticate against those with the public half. You could of course have the same private key on two or more machines, but if you do not have a string passphrase on the key you should not do this for servers you do not 100% trust, such as an external shared server (then again, passphraseless keys are not recommended anyway).

2. It is common to use the same public key on many servers, just like if using public+private keys for signing email (everyone generally uses the same public key to check signatures from your one private key) - the not above about not withstading. For instance my key for me@homemachine can log me into my home server, my remote server and several VMs. I have a differet pait of keys for me@homeserver though (because of note 1 above) but that can also be used to authenticate me with a selection of accounts elsewhere. That said, there is nothing to stop you having many private keys for each user account you hold if you desire.

3. All the authorized keys for a given destination account exist in one authorized_keys file.

4. That depends. Is your home directory, or indeed everything, on the shared (NFS) resource?

http://novosial.org/openssh/publickey-auth/ is a resource that came up after a quick search when answering a related question earlier, and it seems relevant here too though it might not cover your last point. The sample commands will be relevant to Linux assuming you are using OpenSSH (which you no most likely are).

(1) Supposed there are two computers running ssh server service and I have generated a pair of key files on computer A and copy the public file to computer B. Is it true that this is only a one-way key: We only gave computer A permission to access computer B, not gave computer B permission to access computer A?

Yes.

If I now want to ssh from computer B to computer A, must I generat another pair of key files on computer B and copy the public file to computer A?

Yes (although you could use the same key files as above, if A and B fully trust each other).

(2) If I would like to connect a single local computer to several remote servers, is it to generate a common pair of key files only once on the local and copy the same public file to the remote servers, or to generate different pair of key files on the local for different remote servers?

While both will work, there's no reason to use more than one key file; so your second option.

(3)

Yes, you combine all keys into one authorized_keys file.

(4) If there are several servers shared the same file system by, for example, NFS, how to generate keys and arrange the key files for accessing from one server to the other? Also how to still generate keys and arrange the key files for a local computer to access anyone of the servers?

NFS does not matter for SSH; the files must just be in the right locations. Same for generating keys.

1. One key pair generated from a Computer 'A' can be used to login to several other Computers.
   However, you can copy the key pair from A's '.ssh' directory to another computer 'B' and then use it from there too (to login to all computers that you have allowed access from 'A' with these credentials).
   This makes the access less secure since you have now shared the private data across two computers. But, it may work if that is not a liability.
2. Like I described above, a single key pair on 'A' can be used to access as many remote machines as you need by authorizing the access with the public key on each of them.
3. The 'authorized_keys' file can have multiple authorization lines (public keys), one per line.
4. When you have shared 'home' space across multiple computers (and the '.ssh' directory itself is therefore shared across them as you login), you need just one key pair to share access across this pool of computers. Place the public key into the authorized_keys file of this '.ssh'.

Some references,

1. OpenSSH Public Key Authentication
2. SSH without a password
3. SSH User Identities (SecurityFocus)

Update:

• This Cambridge University help page has a sample authorized_keys listing.
• I think the different files were used to store different key-types.
  Like the 'authorized_keys' file would be for RSA keys and
  the 'authorized_keys2' file for DSA keys maybe.
  There is a SecurityFocus article which describes these files along with other things.