PDA

View Full Version : SSH and authorized keys


BenP
2009-09-30, 12:37
I know a little about public and private keys in theory, but haven't had to use them until now.

I have several different users with accounts on a UNIX server that need to be able to scp as a different user without entering a password. I think there's a way to set up those users' authorized_keys file to allow this, but I don't know how. Can someone explain it to me?

RobUSVI
2009-10-01, 08:19
From terminal window:

On the local machine:

% ssh-keygen -t dsa -f ~/.ssh/id_dsa -C you@mydomain.com
% chmod 400 ~/.ssh/id_dsa

(Replace 'you@mydomain.com' with whatever is appropriate. Enter a passphrase when requested.)

Now copy ~/.ssh/id_dsa.pub to your 'remote' machine. Place it in .ssh and call it authorized_keys

Be sure the file has correct permissions on the remote machine:

% chmod 644 ~/.ssh/authorized_keys

BenP
2009-10-01, 09:37
So I can copy MY public key to someone else's .ssh/authorized_keys file and that will allow them to scp as me without a password?

chucker
2009-10-01, 09:45
So I can copy MY public key to someone else's .ssh/authorized_keys file and that will allow them to scp as me without a password?

No, that will allow you to SCP with your account on your host into their host with their account.

BenP
2009-10-01, 09:53
No, that will allow you to SCP with your account on your host into their host with their account.

Got it. So if I have each of them generate a key pair and put their public keys in my authorized_keys file it will work the other way?

chucker
2009-10-01, 10:47
If they generate a pair and put their public key into your authorized_keys file, they'll be able to connect to your account without a password, yes.

BenP
2009-10-01, 11:32
If they generate a pair and put their public key into your authorized_keys file, they'll be able to connect to your account without a password, yes.

And would it be possible to prepend the key with something like command="scp $argv" to limit their actions to scp?

ShadowOfGed
2009-10-01, 16:22
And would it be possible to prepend the key with something like command="scp $argv" to limit their actions to scp?

Except for the fact this would still allow any of these users to overwrite your ~/.ssh/authorized_keys with whatever they want, so there's still not much security in that. There's probably a way to effectively jail their scp transfers in a safe subdirectory (a la chroot), but I don't have the time to look that up at the moment.

:\

chucker
2009-10-01, 16:25
Not sure why you wouldn't just give them their own account.

BenP
2009-10-01, 16:33
The files in the destination directories need to be owned by a manager ID for control reasons. The users aren't supposed to know the manager's password. We aren't allowed to use chown, also for control reasons.

BenP
2009-10-01, 16:36
Except for the fact this would still allow any of these users to overwrite your ~/.ssh/authorized_keys with whatever they want, so there's still not much security in that. There's probably a way to effectively jail their scp transfers in a safe subdirectory (a la chroot), but I don't have the time to look that up at the moment.

:\

That might not be a problem. It's a small group and this is a voluntary internal control. There's no way anyone would do that on purpose. Still not the best solution though I guess.