I have a username and an SSH key for a (hypothetical) guy and I need to give him admin access to a Linux (Ubuntu) server.
I want him to be able to log in via SSH and then set his password by himself over a secure connection, instead of passing the password around.
I know how to make the password expire and force him to reset it on first login. But this doesn't work unless he has some password already, which I then have to tell him.
I thought about making the password blank – SSH wouldn't allow login, but then anyone can su
into the user.
My question is, is there some best practice to creating accounts in such a way? Or setting a default password is unavoidable?
Best Answer
You have his SSH public key? Put it in
.ssh/authorized_keys
in his home directory. Once you have done that (and the permissions are restrictive enough - SSH is fussy about that.) he will be able to log in without needing a password at all... and he will never need one.The best part is that his public key is not sensitive, so passing it around in emails or chat is fine, and his private key never leaves his computer.