Ssh – Multiple SSH keys per user on the server

authenticationsshssh-keys

Say I run a server which accepts SSH connections, and being a wise person, I use SSH keys instead of passwords to connect to it. There is one user, webmaster, which has access to and controls the website-related directories and programs. Whenever I connect to the server, I log in as webmaster.

This is working great, until one day I hire a third party company to work on the website for a week, and to make things go smoothly, I want them to log in as webmaster when they do their work. When the week is over and the job is done, I want to revoke access to the server with their key.

How would I go about doing this, having multiple keys for the same user on the server, that can be edited or removed independently?

Best Answer

This functionality is already supported. When you add their public key to ~webmaster/.ssh/authorized_keys just make sure you remember which key is theirs. When they're done, remove the line for their public key in authorized_keys. You can always change the last little bit of a public key that looks like an email address. Please remember that the permissions for your authorized_keys file is important and that it must be the user webmaster and the permissions 0600 (rw-------).

Related Solutions

SSH – System for Distributing SSH Public Keys

As already mentioned by pulegium, any generic configuration management software like Puppet, Chef, Bcfg2 or cfengine could accomplish the task.

Since the authorized_keys file is not that complicated, you could also use rsync or a (D)SCM like git or hg to manage this file. You have the "master" file on one of your servers and serve it via rsync/git/hg/…. On every other server you run a cron job which periodically retrieves the master copy (if it was changed) and copies it to the correct local location. Heck, this would even work with pure HTTP or FTP.

The bottom line is: Have one "master" copy of your authorized_keys file and update it. Let the "clients" (the computers, which should have the current authorized_keys file) fetch it from your master server and deploy it locally.

Ssh – Invalidating unused ssh keys

Everything is documented in sshd(8), under "AUTHORIZED_KEYS FILE FORMAT" section.

In .ssh/authorized_keys2 add something like environment="SSHKEY=1" at beginning of each line, so it should looks like:

environment="SSHKEY=1" ssh-dss AAAAB3N ...
environment="SSHKEY=2" ssh-rsa AAAAB3N ...

Enable PermitUserEnvironment option in /etc/ssh/sshd_config and restart sshd. Now you can add something like echo $SSHKEY >>.sshlog to ~/.bashrc for logging used ssh keys.

But I think much ease way is backup authorized_keys2 file, remove all keys from it, and just wait until people call/email/im you asking why svn doesn't work. Then you can either restore their key or ask them to resend their keys to you if you unsure which key belong to who. As side effect you'll know who is really working. :)

Best Answer

Related Solutions

SSH – System for Distributing SSH Public Keys

Ssh – Invalidating unused ssh keys

Related Topic