Linux – SSH: one authorized_keys for multiple service accounts

authenticationlinuxsshssh-keys

Is there a way to configure SSH to check a single authorized_keys file for multiple users? I know I can copy the public key into each user's authorized_keys file but for ease of management I'd like an additional authorized_keys file for the administrators that would allow them to login to all the users (or specific groups of users).

Best Answer

You can use the AuthorizedKeysFile directive in /etc/ssh/sshd_config to do this. The defaut location is .ssh/authorized_keys but you could use something which contained an absolute path e.g.

AuthorizedKeysFile /path/to/your/keyfile

the man pages says this

AuthorizedKeysFile

Specifies the file that contains the public keys that can be used for user authentication. AuthorizedKeysFile may contain tokens of the form %T which are substituted during connection setup. The following tokens are defined: %% is replaced by a literal ’%’, %h is replaced by the home directory of the user being authenticated, and %u is replaced by the username of that user. After expansion, AuthorizedKeysFile is taken to be an absolute path or one relative to the user’s home directory. The default is “.ssh/authorized_keys”.

Related Solutions

Ssh-agent forwarding and sudo to another user

As you mentioned, the environment variables are removed by sudo, for security reasons.

But fortunately sudo is quite configurable: you can tell it precisely which environment variables you want to keep thanks to the env_keep configuration option in /etc/sudoers.

For agent forwarding, you need to keep the SSH_AUTH_SOCK environment variable. To do so, simply edit your /etc/sudoers configuration file (always using visudo) and set the env_keep option to the appropriate users. If you want this option to be set for all users, use the Defaults line like this:

Defaults    env_keep+=SSH_AUTH_SOCK

man sudoers for more details.

You should now be able to do something like this (provided user1's public key is present in ~/.ssh/authorized_keys in user1@serverA and user2@serverB, and serverA's /etc/sudoers file is setup as indicated above):

user1@mymachine> eval `ssh-agent`  # starts ssh-agent
user1@mymachine> ssh-add           # add user1's key to agent (requires pwd)
user1@mymachine> ssh -A serverA    # no pwd required + agent forwarding activated
user1@serverA> sudo su - user2     # sudo keeps agent forwarding active :-)
user2@serverA> ssh serverB         # goto user2@serverB w/o typing pwd again...
user2@serverB>                     # ...because forwarding still works

SSH Public Key – Multiple Public Keys for One User

You can have as many keys as you desire. It's good practice to use separate private/public key sets for different realms anyway, like one set for your personal use, one for your work, etc.

First, generate two separate keypairs, one for home and one for work:

ssh-keygen -t rsa -f ~/.ssh/id_rsa.home
ssh-keygen -t rsa -f ~/.ssh/id_rsa.work

Next, add an entry to your ~/.ssh/config file to pick the key to use based on the server you connect to:

Host home
Hostname home.example.com
IdentityFile ~/.ssh/id_rsa.home
User <your home acct>

Host work
Hostname work.example.com
IdentityFile ~/.ssh/id_rsa.work
User <your work acct>

Next, append the contents of your id_rsa.work.pub into ~/.ssh/authorized_keys on the work machine, and do the same for the home key on your home machine.

Then when you connect to the home server you use one of the keys, and the work server you use another.

Note you probably want to add both keys to your ssh-agent so you don't have to type your passphrase all the time.

Best Answer

Related Solutions

Ssh-agent forwarding and sudo to another user

SSH Public Key – Multiple Public Keys for One User

Related Topic