SSH public key authentication – can one public key be used for multiple users

kickstartsshusers

I am wanting to deploy a RHEL5 server using Kickstarts and for security I only want to allow remote clients to ssh to the server as the user 'Developer' (I have already configured the sshd config to disable root access). I have a few questions about setting this up:

  • Does a local user named 'Developer' need to be on each client machine when logging into the server? (I don't think it does but thought I would just confirm while im at it)
  • Before deploying the server, am I able to just setup the authorized_keys file with an entry for each client's RSA public key? And does it matter what user actually types in say ssh -p 22020 Developer@server (i.e. will this affect any information required in the authorized_keys file?)
  • Is the public key of the server required in the known_hosts file of the client (I want this to work every time without being prompted for anything)?
  • Does the user 'Developer' require a home directory with ~/.ssh or can I just configure the sshd server with keys from a different directory? (The Developer user does not need to access any information in a home directory, just files in a folder called '/var/Tasks'?

Best Answer

First, there's no security benefit to only allowing users to connect with a username of "developer". If you want users to have shared access to the same group of files, put them in the same UNIX group and have /var/Tasks be owned by that group. Seperate usernames allow for auditing, better troubleshooting, etc.

As for your other questions:

  • Client usernames are not important. When connecting, users can specific which remote username they want to use: ssh username@example.com
  • You can populate authorized_keys with as many user keys as you have diskspace for, and you can do it before the server is deployed. Also, the same authorized_keys file is read regardless of which portnumber sshd is listening on.
  • Yes, the server's public key will be stored in known_hosts and first time connections will prompt the user to accept the remote key. This part is what makes SSH able to detect man-in-the-middle attacks, and if users just blindly accept any key, SSH becomes vulnerable to man-in-the-middle attacks. If you have sufficient access to the client machines, you can add the remote servers key fingerprint to each client's known_hosts. That's the only way you can avoid this prompt.
  • You can use the AuthorizedKeysFile keyword in sshd_config to specify where you want sshd to look for keys on the server. I put keys in /etc/ssh/keys/%u where %u is a file with the users name and I make sure the user only has read-access.
Related Topic