1

I am trying to mass creating users that can login via ssh private/public keys but which can not login with users (kind of like using newusers but I want to make sure users will not be able to login via ssh).

My approach: via script, I create users with useradd username, then I create the key via ssh-keygen and I put the public key as authorized_keys on the ssh server (assume that id_rsa, id_rsa.pub and authorized_keys are in the right places on both sides, permissions are correct and ownership as well)

Unfortunately, with useradd, accounts are created disabled. I can only login if I set the password with passwd first. if I try to enable the account with passwd -u username, it complains about it being unsafe (rightly so). I saw people recommending to lock the user with passwd -l but it still can not login even if the key is there. I could generate a random password but I am looking if there is a better way (no disallowing logins for all users is not an option)

Thanks in advance for your help.

Improve this question

1 Answer 1

Reset to default
0

I tried the following

# On machineA
useradd testuser
passwd -l testuser
# Created /home/testuser/.ssh                 drwx------ testuser testuser
# Created /home/testuser/.ssh/authorized_keys -rw------- testuser testuser

and

# On machineB
ssh -i /path/to/id_rsa -l testuser machineA

works. Also testuser doesn't have any valid password set yet and so login with password is impossible.

Improve this answer
1
  • Unfortunately I had tried that. I tried your steps again on 3 systems, different linux flavors. If the password is set with passwd, it works if not, I can't login. I get around that by generating a random password,encrypting it and passing it to useradd
    – Youn Elan
    Commented Apr 15, 2014 at 19:34

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .