Both sides previous revision
Previous revision
|
Next revision
Both sides next revision
|
cluster:157 [2017/03/29 13:52] hmeij07 |
cluster:157 [2017/04/06 14:48] hmeij07 |
| |
** SSH public key authentication** | ** SSH public key authentication** |
| |
[need a way to collect key files, push them out, and manage passwd/shadow/group unique UID/GID so they do clash, like weshmeij, lafjsimms] | |
| |
In the ''/etc/ssh/sshd_config'' file, specify the path to user SSH public key files using a description like: | In the ''/etc/ssh/sshd_config'' file, specify the path to user SSH public key files using a description like: |
* ''AuthorizedKeysFile /etc/ssh/authorized_keys/%u'' | * ''AuthorizedKeysFile /etc/ssh/authorized_keys/%u'' |
| |
For this example, the /etc, /etc/ssh, and /etc/ssh/authorized_keys are directories owned and only writable by root. | For this example, the /etc, /etc/ssh, and /etc/ssh/authorized_keys are directories owned and only writable by root. The sshd service interprets ''%u'' as the authenticated user's username on the system. So in this approach, every user has a file named after their username in the ''/etc/ssh/authorized_keys'' directory, root-owned. |
| |
<code> | <code> |
drwxr-xr-x. 3 root root 4096 Nov 9 14:02 /etc/ssh | drwxr-xr-x. 3 root root 4096 Nov 9 14:02 /etc/ssh |
drwxr-xr-x 2 root root 4096 Nov 9 14:01 /etc/ssh/authorized_keys | drwxr-xr-x 2 root root 4096 Nov 9 14:01 /etc/ssh/authorized_keys |
-rwxr-xr-x 2 root root 1024 Mar 29 11:01 /etc/ssh/authorized_keys/weshmeij | -r--r--r-- 2 root root 1024 Mar 29 11:01 /etc/ssh/authorized_keys/weshmeij |
| |
</code> | </code> |
| |
The sshd service interprets ''%u'' as the authenticated user's username on the system. So in this approach, every user has a file named after their username in the ''/etc/ssh/authorized_keys'' directory, root-owned. | Unique usernamaes and UID/GID need to be created. We need a simple web page where public keys can be uploaded with username requested. The username will be prefixed by first 3 characters of College ('wes' for Wesleyan, 'laf' for Lafayette', etc). Script figures from passwd file which UID/GID is next, then |
| |
| <code> |
| [root@hmeij ~]# echo "$prefix$uname:x:15001" >> /etc/group |
| [root@hmeij ~]# useradd -u 15001 -g 15001 $prefix$uname |
| [root@hmeij ~]# cp $file /etc/ssh/authorized_keys/$prefix$uname |
| [root@hmeij ~]# chmod 0444 /etc/ssh/authorized_keys/$prefix$uname |
| </code> |
| |
| |
Use a secure, automated method to distribute the public key files to each login host's ''/etc/ssh/authorized_keys'' directory - having them on a shared mounted filesystem introduces other potential security and availability issues, and is therefore not recommended. | |
| |
| |