I’m setting up a new multi-user server, and I only want to enable
access via SSH keys, not passwords. This bit is relatively easy, you go
and modify /etc/ssh/sshd_config to have
PasswordAuthentication no (and PubkeyAuthorization yes).
sshd goes and reads the appropriate authorized_keys to
work out the public keys to accept (and some other bits of info
too). By default the file is located at
~/.ssh/authorized_keys. But, because I don’t want the
users to have to set this up themselves, and I don’t want them to
accidently mess it up either, the default doesn’t work real
well. Thankfully, we can put something like AuthorizedKeysFile
/etc/ssh/%u_pub_keys into our sshd_config. Now,
sshd will look for
/etc/ssh/<username>_pub_keys rather than the
default. I considered one static file, but the authorized_keys file
format does not have a way of specifying that a particular key should
only authenticate for a specific user (all though it does have some
other cool stuff).
The final slightly tricky point is that the authorized_keys file is
read with the user’s permission, not sshd’s
permission, to the file needs to be readable by the user. As we don’t
want the file being messed up by the user, we leave it being owned by
root, but change the file’s group to be that of the
user. Then we can give the group read permission on the file. (In
theory, the file contents are not sensitive, so we could just make it
world-readable, but POLA
says we shouldn’t do that.). So the file permissions should look something like:
$ ls -la /etc/ssh/benno_pub_keys -rw-r----- 1 root benno 607 Oct 16 00:21 /etc/ssh/benno_pub_keys
It would be great to know if anyone has a better, simpler way of doing this! Adn since my blog now has comments, you can let me know without needing to open your email client! Progress!