Sometimes, multiple users share a home directory or there are other reasons why a user's authorized_keys file won't pass OpenSSH's permission checks. While those can be disabled, it is generally a bad idea.
In recent OpenSSH versions, using a different authorized_keys file for a single user is easy:
Match User username
AuthorizedKeysFile /etc/ssh/authorized_keys/%u
In older versions however,AuthorizedKeysFile is not supported under a Match block.
In order to get around that, at least on some version, you can use AuthorizedKeysCommand instead, which is supported under a Match block (at least on an up-to-date RHEL5): (It can also be used outside a Match block to enable the option for all users)
Match User username
AuthorizedKeysCommand /etc/ssh/etc_ssh_authorized_keys
You can then create the following script to use as the command and put keys into /etc/ssh/authorized_keys/username
#!/bin/sh
/bin/cat "/etc/ssh/authorized_keys/${1}"
To prepare the script and directory: (Users can view each other's public keys in this example, but that for a small number of users is a smaller risk than disabling the permission checks, which might allow other users to edit the user's authorized_keys file)
echo -e '#!/bin/sh\n/bin/cat "/etc/ssh/authorized_keys/${1}"' > /etc/ssh/etc_ssh_authorized_keys
mkdir -m 755 /etc/ssh/authorized_keys
chmod 755 /etc/ssh/etc_ssh_authorized_keys
chmod 644 /etc/ssh/authorized_keys/* # there is probably nothing there yet
chown -R root:root /etc/ssh/etc_ssh_authorized_keys /etc/ssh/authorized_keys
No comments:
Post a Comment