[SOLVED] Using a public SSH key on more than one user
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi, I've got a MythBuntu media server with my login on it and ssh keys set up, so I can log in from both of my laptops without having to enter a password. I now want to set up a user for my brother (user = dave) and I also want to be able to login from my user to this login to test the security setup.
I copied over my public key file and concatenated it to the /home/dave/.ssh/authorized_keys2 file (I had all sorts of fun and games getting SSH set up initially, so I can't remember if that is ..._keys2 because of something I changed, but it's in the sshd_config as that, and in my home .ssh directory it's also ..._keys2) but I still get a password challenge when I try to ssh -p <fw port> dave@myserver. I then copied over my authorized_key2 file into /home/dave/.ssh but this also doesn't work.
Any ideas why this would be - there isn't any issue in copying the same public key over to multiple users within one computer, is there? If I set up a password for that user I can login ok, so it doesn't seem to be a password expiry issue, as far as I can see. I've also grepped my /etc/ssh/sshd_config with my username and can't find any entries there, so I don't think it's anything in there.
Cheers MH
I copied over my public key file and concatenated it to the /home/dave/.ssh/authorized_keys2.....
You need to copy the public key on to the server and place it in the authorized keys file there. As you are already using this from your PC, there is no need to do this step. The private key needs to go into the .ssh folder of the user that will be logging into the server as id_rsa. From the description, it sounds like you may have the public and private keys backwards.
You mean the rsa_id.pub file, yes? That's the file I copied and concatenated to the auth..._keys2 file. AFAIK that's the original file I copied over on my user, and either way if I copy my auth..._keys2 file from my user's home .ssh on the server into the ~/dave/.ssh that should be ok, yes? Just to clarify, when I was talking about copying the auth..._keys2 file from one user's home to the other, I was referring to the files in the home directories on the server rather than copying the auth..._keys2 file from the client to the server.
As an example, if I have users foo and bar and I am set up to ssh-key login as user foo
ssh foo@servername
and then I
cp /home/foo/.ssh/authorised_key2 /home/bar/.ssh/authorised_key2
then I should be able to ssh-key login as bar, yes?
ssh bar@servername
and it will use my key for both users?
I think you have it backwards. When you create the key pair you get two files, id_rsa (private) and id_rsa.pub (public). Authorized keys, to which the public key gets copied / appended goes on the SERVER, not the users. The private key goes with the user. See this link for an example.
Using your example, you would:
Code:
cp /home/foo/.ssh/id_rsa /home/bar/.ssh/id_rsa
Now both users, foo and bar can log into the same server with the same key.
I think you would be better off to generate a unique keypair on your brother's machine and just append that public key to the authorized keys file on the server. The server's authorized key file should have both public keys listed in it, one per line. That way you will both be able to access the server.
Sorry, I don't think I explained myself clearly enough.
Users foo and bar are both on the server.
I have user foo on my own systems, and from there I want to be able to log onto the server, using the ssh-key, as both user foo and user bar, so I can check everything works ok for the bar user before I set my brother up on it. Once I was happy I was going to get him to send me his public ssh key and import it into user bar, retaining my own ability to log into the server as both foo and bar.
That changes things, regarding your answer, doesn't it?
Apologies that I wasn't clear enough in mt original question.
Recently I've imported ssh keys from user backuppc on my backup server into my laptop's root user so I can remotely backup the system, so I know the users don't have to be the same on the local and remote servers, but I was wondering if there were any issues importing a single user's public key into multiple users on a target server.
Thanks - MH
Last edited by Mad-Halfling; 04-27-2012 at 10:28 AM.
You may need openssh-clients installed to do this, but I find the easiest way is 'ssh-copy-id name@[fqdn_or_ip]' works best. Just build out your key (ssh-keygen -t rsa) then use the previous command to copy to the profile you need.
I did try using ssh-copy-id but I'm away from home ATM and that doesn't seem to accept ports - I checked the man entry and it only seems to access the -i parameter, but I tried -p anyway, plus it doesn't seem to accept user@machine:port
--edit-- disabled smiles for the :p display
Last edited by Mad-Halfling; 04-27-2012 at 11:24 AM.
Now I'm home I tried the ssh-copy-id, but it didn't work - it's probably something I've done, what are the basic, user-level things I need to check that might stop a user logging on with ssh keys (but would still allow the password login)?
Check the permissions on ~/.ssh directory and ~/.ssh/authorized_keys. sshd is quite fiddly about permissions and you may need to "chmod go-wx" them and make sure they're owned by the user. Look at the man page for sshd, in the FILES section for more details.
Last edited by kfritz; 04-27-2012 at 03:27 PM.
Reason: Added "owned by user"
I did have a look at those - as far as I can see they're the same (apart from, for his user) as my user's file permissions that work ok:-
drwx------ 2 dave dave 4096 Apr 27 18:47 /home/dave/.ssh
and
-rw------- 1 dave dave 395 Apr 27 18:46 authorized_keys2
-rw-r-xr-x 1 dave dave 789 Apr 27 14:45 authorized_keys2.old
-rw------- 1 dave dave 1679 Apr 27 14:14 id_rsa
-rw-r--r-- 1 dave dave 396 Apr 27 14:14 id_rsa.pub
Should these be ok - as I said if you change the user and group names, my .ssh directory and its contents for those files are the same.
The only thing that obviously sticks out is I have a known_host file in my .ssh directory, but I'm guessing that's outgoing ssh hosts, rather that incoming ones?
Last edited by Mad-Halfling; 04-30-2012 at 12:06 PM.
In Macintosh OS/X there is an ssh-add -K command to add a public-key to that system's ssh-agent keyring, along with passwords.
On the client (this and all remaining steps): mkdir ~/.ssh
chmod 700 ~/.ssh
touch ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
cat keyfile_name>> ~/.ssh/authorized_keys [i](note use of two ">"s)
The strongest thing to do would be to, first on your account, perform the ssh-keygen step to generate your public key, encrypting that with a password. Then, have your brother do the same. (Both of you review the ssh-agent functionality on your systems.) Next, each of you supplies the public key (suffix .pub) for the procedure described above.
I think that it's a good idea to have separate keys, one for each user, and for each person to individually password-protect (encrypt) their own key without revealing it to anyone ... especially one's "bratty brother!"
The whole point of an ssh digital key is to create a unique and individually-manageable identity for one person. I would not "share a key" among more than one user.
We are generating our own keys and keeping them private - I just wanted to also set up my key on my brother's user so I could check his security was all ok and remote login to his user directly. I removed the existing .ssh directory and followed those steps but it still gives me the password challenge when I try to log in as my brother. Interestingly, in /var/log/auth.log I have this error that occurs when I try to get in:-
reverse mapping checking getaddrinfo for host86 [X.X.X.X] failed - POSSIBLE BREAK-IN ATTEMPT!
X.X.X.X is my ip (I did check to make sure it wasn't a legitimate hacking warning) so I'm guessing that's what's causing the problem. Any idea why it would object to my login on my brother's user, but I can still log into my user ok using the same key - or am I labouring under the misapprehension that I can install the same public key on two different users on the same system? I'm still waiting for my brother to send me his public key to see if his works ok.
Last edited by Mad-Halfling; 05-01-2012 at 04:59 PM.
The ssh configuration file must be set up to allow rsa-based access and to prohibit password authentication.
Otherwise, ssh has the very annoying habit of starting with the strongest authentication method, then stair-stepping down to the least strong method, and accepting any one that works!
("Oh, my. It seems that you don't seem to know the combination to the impregnable steel door. Would you like to please come in through the open window, instead?")
I assume you mean the server's ssh configuration, yes? That public key I've imported to my brother's account works fine on my account on that same server, so as far as I can see the server is set up ok? As I said, is the ssh server objecting to that same public key being used on two different users on the same server? I've also, for the moment, left password authentication turned on as I need to log in from other systems, for the moment, but I'll turn it off at some point soon.
Last edited by Mad-Halfling; 05-01-2012 at 06:43 PM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.