I'm trying to create an ssh key for another user. I'm logged in as root. Can I just edit the files generated by ssh-keygen and change root to the user I want?
3
-
6If you generate the key for the user you also have to have a secure method of getting the private key and it's pass phrase to the user. Much better the user generate the key and then just email you the public key.– user9517Commented Oct 22, 2011 at 20:02
-
But isn't that difficult is you don't allow password logins? If I am key-only, and I set up a new user, they can't login to set up their key.– LVLAaronCommented Aug 8, 2013 at 14:20
-
I don't have enough rep to make a answer so i made a gist which is a small script to create a user, generate a ssh-key, copy that public key to ~/.ssh/authorized_keys and then zip it to send to them. gist.github.com/robmsmt/b8300e7a0d711a7616e948a8232289a5– robmsmtCommented Oct 31, 2020 at 3:37
Add a comment
|
4 Answers
You could do that with ssh-keygen, however, remember that the private key is meant to be private to the user so you should be very careful to keep it safe- as safe as the user's password. Or even safer, as the user is not likely to be required to change it upon first login.
ssh-keygen -f anything creates two files in the current directory. anything.pub is the public key, which you could append to the user's ~/.ssh/authorized_keys on any destination server.
The other file, just called anything is the private key and therefore should be stored safely for the user. The default location would be ~username/.ssh/id_rsa (here named id_rsa, which is default for rsa keys). Remember that the .ssh directory cannot be readable or writeable by anyone but the user, and the user's home directory cannot be writeable by anyone but the user. Likewise, permissions must be tight on the private key, as well: Read/write for only the user, and the .ssh directory and private keyfile must be owned by the user.
Technically you could store the key anywhere. With ssh -i path/to/privatekey you could specify that location, while connecting. Again, proper ownership and permissions are critical and ssh will not work if you don't have them right.
-
6
-
58You are assuming that the user is a real person. If the login is an non-interactive user utilized to perform utility tasks (e.g. running running maine scripts on remote servers), then yes, you would probably generate the key for that user manually. Of course, that has its own security implications, but that's another story.– RilindoCommented Oct 22, 2011 at 22:31
-
2@Rilindo
ssh -ito a private key for a non-privileged process is how I handle more than a few automated rsync backup processes. :) Commented Oct 23, 2011 at 9:56 -
17I don't like that kind of answer that say "you shouldn't do that" but don't answer the question. While this may be correct and helpful for the context of the original question, other people may have the same question in a different situation. "ssh keys should never be generated for another user": That is true in the simple case. But consider multiple identities of the same physical person, for example. There may be multiple accounts on multiple systems, not all of them allowing you to generate keys or allowing to protect private keys appropiately.– GustaveCommented Sep 9, 2015 at 8:17
-
There's no user information in the SSH keys.
Last field in a public key is a comment (and can be changed by running the following command ssh-keygen -C newcomment).
No need to do anything special to make a key for another user, just put it in the right location and set permissions.
-
14
-
3I just test and confirmed, not only is it just a comment, but it can be removed and keys still function. I always thought it mattered! Thanks for giving the correct answer. Like the comments above, I have a reason for creating keys for other users, but i wont say why, so theres no argument. Commented Sep 18, 2016 at 19:15
-
3This username in the public key makes me think that username is encoded into the public key and the public key will be invalid if changing the username. Thanks a lot.– Hobin C.Commented Nov 12, 2020 at 9:12
Become the user by using su and run the key as that user:
[root@kvm0001 ~]# su - joeuser
[joeuser@kvm0001 ~]$ ssh-keygen -t dsa (or rsa1 or rsa, depending on your security requirements)
Generating public/private dsa key pair.
Enter file in which to save the key (/home/joeuser/.ssh/id_dsa):
-
-
-
5you should be using rsa (or possiblly one of the eliptic curve variants). dsa is limited to insecure keysizes. rsa1 is a legacy format for ssh1 which noone should be using anymore. Commented Dec 19, 2015 at 5:51
-
My
joeuseris a service user, therefore i cannot login as them. How do I allow a service user (that just runs processes) to have an ssh key?– JonathanCommented Nov 30, 2017 at 4:09 -
@JonathanLeaders You would specify the shell for the user when becoming that user. Something like this: ``` [root@ip-10-254-41-211 ~]# grep ftp /etc/passwd ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin [root@ip-10-254-41-211 ~]# su - ftp su: warning: cannot change directory to /var/ftp: No such file or directory This account is currently not available. [root@ip-10-254-41-211 ~]# su -s /bin/bash ftp bash-4.2$ whoami ftp bash-4.2$ ```– RilindoCommented Dec 3, 2017 at 22:54
As seen here, you can use chmod to change the read permissions of the folder of the user you want to add the SSH key to.
vim /home/username/.ssh/authorized_keys
Then, simply paste the key to a new line at the bottom of that file
-
1