View Full Version : SSH and authorized keys
I know a little about public and private keys in theory, but haven't had to use them until now.
I have several different users with accounts on a UNIX server that need to be able to scp as a different user without entering a password. I think there's a way to set up those users' authorized_keys file to allow this, but I don't know how. Can someone explain it to me?
From terminal window:
On the local machine:
% ssh-keygen -t dsa -f ~/.ssh/id_dsa -C you@mydomain.com
% chmod 400 ~/.ssh/id_dsa
(Replace 'you@mydomain.com' with whatever is appropriate. Enter a passphrase when requested.)
Now copy ~/.ssh/id_dsa.pub to your 'remote' machine. Place it in .ssh and call it authorized_keys
Be sure the file has correct permissions on the remote machine:
% chmod 644 ~/.ssh/authorized_keys
So I can copy MY public key to someone else's .ssh/authorized_keys file and that will allow them to scp as me without a password?
So I can copy MY public key to someone else's .ssh/authorized_keys file and that will allow them to scp as me without a password?
No, that will allow you to SCP with your account on your host into their host with their account.
No, that will allow you to SCP with your account on your host into their host with their account.
Got it. So if I have each of them generate a key pair and put their public keys in my authorized_keys file it will work the other way?
If they generate a pair and put their public key into your authorized_keys file, they'll be able to connect to your account without a password, yes.
If they generate a pair and put their public key into your authorized_keys file, they'll be able to connect to your account without a password, yes.
And would it be possible to prepend the key with something like command="scp $argv" to limit their actions to scp?
ShadowOfGed
2009-10-01, 16:22
And would it be possible to prepend the key with something like command="scp $argv" to limit their actions to scp?
Except for the fact this would still allow any of these users to overwrite your ~/.ssh/authorized_keys with whatever they want, so there's still not much security in that. There's probably a way to effectively jail their scp transfers in a safe subdirectory (a la chroot), but I don't have the time to look that up at the moment.
:\
Not sure why you wouldn't just give them their own account.
The files in the destination directories need to be owned by a manager ID for control reasons. The users aren't supposed to know the manager's password. We aren't allowed to use chown, also for control reasons.
Except for the fact this would still allow any of these users to overwrite your ~/.ssh/authorized_keys with whatever they want, so there's still not much security in that. There's probably a way to effectively jail their scp transfers in a safe subdirectory (a la chroot), but I don't have the time to look that up at the moment.
:\
That might not be a problem. It's a small group and this is a voluntary internal control. There's no way anyone would do that on purpose. Still not the best solution though I guess.
vBulletin® v3.6.4, Copyright ©2000-2024, Jelsoft Enterprises Ltd.