[BlueOnyx:13994] Re: key-based auth for ssh user?

[Michael Stauber]

Hi Brian,

> I have a need for to add key-based auth for one user.
> 
> I have edited /etc/ssh/sshd-config and enabled pubkey auth and the path for
> the keyfile.
> 
> if I create the user via useradd -m their directory gets created in /home
> but adding a key to the keyfile I specified does not allow access.

That's one way to do it, but it's neither necessary to edit the SSHd
config, nor should you create users manually with the "useradd" command.

If you manually add users with "useradd", then the users will not show
up in the GUI and they cannot be CMU-migrated either.

All you need to do for key based SSH authentication is this:

Create the user in question via the GUI. Enable shell access for the
user. Login by SSH as that user.

Now create an SSH key for that user by running this command as that user
from SSH:

ssh-keygen -t rsa

It'll ask a few questions. Simply press return on any question to accept
the defaults. This will create a 2048 bit private and public SSH key
(without password) for that user in ~username/.ssh/

Next create the file ~username/.ssh/authorized_keys and into that paste
the SSH public key that this user is using to SSH into the box.

If he's logging in from another Linux box, then that's his
~username/.ssh/id_rsa.pub on that other Linux box, provided the key was
also generated there with "ssh-keygen -t rsa" and standard parameters.

That public key will look roughly like this, although the part in the
middle is a lot longer:

ssh-rsa [Lots-of-weird-text] username at workstation.home

Save the changes.

Once that's one this user can login by SSH using key based
authentication. If his SSH session sends the key that's stored in
~username/.ssh/authorized_keys, he will be allowed to log in.

If no key is sent (or the key doesn't match), he'll be asked for the
account password instead.

That's all there is to do.

-- 
With best regards

Michael Stauber